INFN wiki

User Tools

Site Tools

Trace: IAM Integration
progetti:cloud-areapd:egi_federated_cloud:aai_integration:iam_integration

Table of Contents

IAM Integration

Official documentation for indigo-IAM

Registration of egi-cloud

INDIGO IAM needs to be configured to work with a client, so it need to be registered and some parameters tuned. You have to

  • Go to the test IAM instance. You need to be registered by INDIGO AAI Team, so contact them in order to do so.
  • Register a new client, under Self Service Client Registration.
  • Introduce the name, we use INFN-PADOVA-STACK.
  • Introduce the allowed redirect URIs https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect.
  • Once you save it, go to the main tab again and keep a copy of the following fields.
    • Client ID.
    • Client Secret.
    • Registration Endpoint.
    • Registration Access Token.

Please keep them in a secure place, as you will need them to configure your Keystone server and further modify your client if needed. The egi-cloud credential are saved on /root/indigo_iam_cred.txt on controller.

Setup for ESACO

Follow the same procedure described in the previous section and register a client for ESACO in the INDIGO IAM. The redirect URI to be defined for the ESACO installed in Padova is https://cld-smact-02.pd.infn.it/esaco/introspect. The client parameters (issuer URL, client ID and client secret) must be added in the ESACO servers file. For the installation in cld-smact-02 the file is /etc/indigo-services/esaco-servers.yml: 

oidc:
  clients:
      - issuer-url: https://iam-test.indigo-datacloud.eu/
        client-id: *************************************
        client-secret: *********************************************

The ESACO service must be restart, since there's not yet a systemd script for that it is necessary to restart manually the container: 

docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml down
docker-compose -f /etc/docker-compose/esaco/esaco-compose.yaml up -d

The authorization service must grant access to the introspection endpoint to the ESACO client.

Install and configure mod_auth_openidc

Install mod_auth_openidc from official repository and configure it as following. Edit /etc/httpd/conf.d/wsgi-keystone.conf file 

(...)
    <VirtualHost *:5000>
 
        (...)
 
        OIDCClaimPrefix                 "OIDC-"
        OIDCCryptoPassphrase            <PASSPHRASE>
        OIDCRedirectURI                 https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect
        OIDCMetadataDir                 /var/cache/httpd/mod_auth_openidc/metadata
        OIDCCacheShmEntrySizeMax        65536
 
        ###############################################################################################
        # ESACO introspection endpoint
        ###############################################################################################
        OIDCOAuthIntrospectionEndpoint  https://cld-smact-02.pd.infn.it/esaco/introspect
 
        ###############################################################################################
        # GUI
        ###############################################################################################
        <Location "/v3/auth/OS-FEDERATION/identity_providers/indigo-dc/protocols/openid/websso">
            AuthType        openid-connect
            OIDCDiscoverURL https://egi-cloud.pd.infn.it/v3/auth/OS-FEDERATION/websso/openid/redirect?iss=https%3A%2F%2Fiam-test.indigo-datacloud.eu%2F
            Require         claim iss:https://iam-test.indigo-datacloud.eu/
            LogLevel        warn
        </Location>
        <Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
            AuthType  openid-connect
            Require   valid-user
            LogLevel  warn
        </Location>
 
        ###############################################################################################
        # API
        ###############################################################################################
        <Location ~ "/v3/OS-FEDERATION/identity_providers/indigo-dc/protocols/openid/auth">
            AuthType  oauth20
            Require         claim iss:https://iam-test.indigo-datacloud.eu/
            LogLevel        warn
        </Location>
 
        (...)
 
    </VirtualHost>

where 

    <PASSPHRASE>: A password used for crypto purposes. Put something of your choice here.

Check and/or create the directory /var/cache/httpd/mod_auth_openidc/metadata Create the json file /var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.client: 

{
  "client_id" : "<CLIENT ID>",
  "client_secret" : "<CLIENT SECRET>"
}

where 

    <CLIENT ID>: Client ID as obtained from the IAM.
    <CLIENT SECRET>: Client Secret as obtained from the IAM.

Create the json file /var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.conf: 

{
  "scope" : "openid profile email eduperson_entitlement",
  "token_endpoint_auth" : "client_secret_basic",
  "response_type" : "code"
}

At the end of the whole configuration, after restarting httpd, check if the IdP metadata file from https://iam-test.indigo-datacloud.eu/.well-known/openid-configuration has been saved in the file /var/cache/httpd/mod_auth_openidc/metadata/iam-test.indigo-datacloud.eu.provider

Edit the file /etc/keystone/keystone.conf 

(...)
 
[auth]
 
methods = password,token,openid,mapped
 
[openid]
remote_id_attribute = HTTP_OIDC_ISS
 
[federation]
 
remote_id_attribute = HTTP_OIDC_ISS
trusted_dashboard = https://egi-cloud.pd.infn.it/dashboard/auth/websso/
sso_callback_template = /etc/keystone/sso_callback_template.html

and ensure that /etc/keystone/sso_callback_template.html exists.

Mapping for the indigo users

First create a group that will hold all the INDIGO users 

# openstack group create indigo_group --description "INDIGO Federated users group"

Grant user roles to the whole indigo_group into the indigo project 

# openstack role add user --group indigo_group --project indigo

Create a indigo_mapping_new.json file for the mapping 

[
  {
    "local": [
      {
        "group": {
          "id": "203261e6154c492894448b6363764e86"
        },
        "user": {
          "domain": {
            "id": "default"
          },
          "type": "ephemeral",
          "name": "IAM/{1}/ID={0}",
	  "email": "{2}"
        }
      }
    ],
    "remote": [
      {
        "type": "OIDC-sub"
      },
      {
        "type": "OIDC-name"
      },
      {
        "type": "OIDC-email"
      },
      {
        "type": "HTTP_OIDC_ISS",
        "any_one_of": [
          "https://iam-test.indigo-datacloud.eu/",
	  "https://dodas-iam.cloud.cnaf.infn.it/"
        ]
      }
    ]
  }
]

The "https://dodas-iam.cloud.cnaf.infn.it/" row enable also the Dodas-IAM istance. Load the mapping 

# openstack mapping create indigo_mapping --rules indigo_mapping_new.json

Create the corresponding Identity Provider and protocol 

# openstack identity provider create indigo-dc --remote-id https://iam-test.indigo-datacloud.eu/
# openstack federation protocol create openid --identity-provider indigo-dc --mapping indigo_mapping

If you need to change the mapping at a later stage, you can update it by 

# openstack mapping set --rules indigo_mapping.json indigo_mapping

Dashboard configuration

Edit the file /etc/openstack-dashboard/local_settings 

(...)
 
WEBSSO_ENABLED = True
WEBSSO_INITIAL_CHOICE = "credentials"
 
WEBSSO_CHOICES = (
    ("credentials", _("Keystone Credentials")),
    ("mapped", _("West-Life SSO")),
    ("openid", _("INDIGO-DataCloud IAM"))
)

The ("mapped", _("West-Life SSO")) row enables the authentication via West-life SSO.

progetti/cloud-areapd/egi_federated_cloud/aai_integration/iam_integration.txt · Last modified: 2019/11/29 10:29 by andreett@infn.it
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki