Official documentation for indigo-IAM
INDIGO IAM needs to be configured to work with a client, so it need to be registered and some parameters tuned. You have to
https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect
.
Please keep them in a secure place, as you will need them to configure your Keystone server and further modify your client if needed. The egi-cloud credential are saved on /root/indigo_iam_cred.txt
on controller.
Follow the same procedure described in the previous section and register a client for ESACO in the INDIGO IAM. The redirect URI to be defined for the ESACO installed in Padova is https://cld-smact-02.pd.infn.it/esaco/introspect. The client parameters (issuer URL, client ID and client secret) must be added in the ESACO servers file. For the installation in cld-smact-02 the file is /etc/indigo-services/esaco-servers.yml:
oidc: clients: - issuer-url: https://iam-test.indigo-datacloud.eu/ client-id: ************************************* client-secret: *********************************************
The ESACO service must be restart, since there's not yet a systemd script for that it is necessary to restart manually the container:
docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml down docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml up -d
The authorization service must grant access to the introspection endpoint to the ESACO client.
Install mod_auth_openidc from official repository and configure it as following. Edit /etc/httpd/conf.d/wsgi-keystone.conf file
(...) <VirtualHost *:5000> (...) OIDCClaimPrefix "OIDC-" OIDCCryptoPassphrase <PASSPHRASE> OIDCRedirectURI https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect OIDCMetadataDir /var/cache/httpd/mod_auth_openidc/metadata OIDCCacheShmEntrySizeMax 65536 ############################################################################################### # ESACO introspection endpoint ############################################################################################### OIDCOAuthIntrospectionEndpoint https://cld-smact-02.pd.infn.it/esaco/introspect ############################################################################################### # GUI ############################################################################################### <Location "/v3/auth/OS-FEDERATION/identity_providers/indigo-dc/protocols/openid/websso"> AuthType openid-connect OIDCDiscoverURL https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect?iss=https%3A%2F%2Fiam-test.indigo-datacloud.eu%2F Require claim iss:https://iam-test.indigo-datacloud.eu/ LogLevel warn </Location> <Location ~ "/v3/auth/OS-FEDERATION/websso/openid"> AuthType openid-connect Require valid-user LogLevel warn </Location> ############################################################################################### # API ############################################################################################### <Location ~ "/v3/OS-FEDERATION/identity_providers/indigo-dc/protocols/openid/auth"> AuthType oauth20 Require claim iss:https://iam-test.indigo-datacloud.eu/ LogLevel warn </Location> (...) </VirtualHost>
where
<PASSPHRASE>: A password used for crypto purposes. Put something of your choice here.
Check and/or create the directory /var/cache/httpd/mod_auth_openidc/metadata
Create the json file /var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.client
:
{ "client_id" : "<CLIENT ID>", "client_secret" : "<CLIENT SECRET>" }
where
<CLIENT ID>: Client ID as obtained from the IAM. <CLIENT SECRET>: Client Secret as obtained from the IAM.
Create the json file /var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.conf
:
{ "scope" : "openid profile email eduperson_entitlement", "token_endpoint_auth" : "client_secret_basic", "response_type" : "code" }
At the end of the whole configuration, after restarting httpd, check if the IdP metadata file from https://iam-test.indigo-datacloud.eu/.well-known/openid-configuration
has been saved in the file
/var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.provider
Edit the file /etc/keystone/keystone.conf
(...) [auth] methods = password,token,openid,mapped [openid] remote_id_attribute = HTTP_OIDC_ISS [federation] remote_id_attribute = HTTP_OIDC_ISS trusted_dashboard = https://egi-cloud.pd.infn.it/dashboard/auth/websso/ sso_callback_template = /etc/keystone/sso_callback_template.html
and ensure that /etc/keystone/sso_callback_template.html
exists.
First create a group that will hold all the INDIGO users
# openstack group create indigo_group --description "INDIGO Federated users group"
Grant user roles to the whole indigo_group into the indigo project
# openstack role add user --group indigo_group --project indigo
Create a indigo_mapping_new.json
file for the mapping
[ { "local": [ { "group": { "id": "203261e6154c492894448b6363764e86" }, "user": { "domain": { "id": "default" }, "type": "ephemeral", "name": "IAM/{1}/ID={0}", "email": "{2}" } } ], "remote": [ { "type": "OIDC-sub" }, { "type": "OIDC-name" }, { "type": "OIDC-email" }, { "type": "HTTP_OIDC_ISS", "any_one_of": [ "https://iam-test.indigo-datacloud.eu/", "https://dodas-iam.cloud.cnaf.infn.it/" ] } ] } ]
The "https://dodas-iam.cloud.cnaf.infn.it/"
row enable also the Dodas-IAM istance.
Load the mapping
# openstack mapping create indigo_mapping --rules indigo_mapping_new.json
Create the corresponding Identity Provider and protocol
# openstack identity provider create indigo-dc --remote-id https://iam-test.indigo-datacloud.eu/
# openstack federation protocol create openid --identity-provider indigo-dc --mapping indigo_mapping
If you need to change the mapping at a later stage, you can update it by
# openstack mapping set --rules indigo_mapping.json indigo_mapping
Edit the file /etc/openstack-dashboard/local_settings
(...) WEBSSO_ENABLED = True WEBSSO_INITIAL_CHOICE = "credentials" WEBSSO_CHOICES = ( ("credentials", _("Keystone Credentials")), ("mapped", _("West-Life SSO")), ("openid", _("INDIGO-DataCloud IAM")) )
The ("mapped", _("West-Life SSO"))
row enables the authentication via West-life SSO.