Install the required modules

wget -O /etc/yum.repos.d/shibboleth.repo http://download.opensuse.org/repositories/security://shibboleth/CentOS_7/security:shibboleth.repo
yum -y install shibboleth

Deploy the service certificate file in /etc/shibboleth/sp-cert.pem and the related service key file in /etc/shibboleth/sp-key.pem. Change the ownership and permissions for those files:

chmod 400 /etc/shibboleth/sp-key.pem
chmod 600 /etc/shibboleth/sp-cert.pem
chown shibd.shibd /etc/shibboleth/sp-key.pem
chown shibd.shibd /etc/shibboleth/sp-cert.pem

The file /etc/shibboleth/shibboleth2.xml must contain the following definitions:

shibboleth2.xml

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">
 
    <ApplicationDefaults entityID="https://egi-cloud.pd.infn.it/dashboard"
                         REMOTE_USER="eppn persistent-id targeted-id">
 
        <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
                  checkAddress="false" handlerSSL="true" cookieProps="https">
 
            <SSO entityID="https://auth.west-life.eu/proxy/saml2/idp/metadata.php">
              SAML2 SAML1
            </SSO>
 
            <Logout>SAML2 Local</Logout>
 
            <Handler type="MetadataGenerator"
                     Location="/Metadata"
                     template="egi-cloud-metadata.xml"
                     signing="false"/>
 
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
 
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
 
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>
 
        <Errors supportContact="root@localhost"
            helpLocation="/about.html"
            styleSheet="/shibboleth-sp/main.css"/>
 
        <MetadataProvider type="XML"
            uri="https://auth.west-life.eu/proxy/saml2/idp/metadata.php"
            backingFilePath="/var/cache/shibboleth/wlife-metadata.xml"
            reloadInterval="7200"/>
 
        <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
 
        <AttributeResolver type="Query" subjectMatch="true"/>
 
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
 
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
    </ApplicationDefaults>
 
    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
 
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
 
</SPConfig>

Create the metadata cache directory

mkdir -p /var/cache/shibboleth
chown shibd.shibd /var/cache/shibboleth

Write the Service Metadata file in /etc/shibboleth/egi-cloud-metadata.xml with the following content:

egi-cloud-metadata.xml

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" 
                     entityID="https://egi-cloud.pd.infn.it/dashboard">
 
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
 
    <md:Extensions>
      <mdui:UIInfo xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui">
        <mdui:DisplayName xml:lang="en">EGI Fed-Cloud INFN-PD</mdui:DisplayName>
        <mdui:Description xml:lang="en">The EGI Federated Cloud infrastructure operated by INFN in Padova</mdui:Description>
        <mdui:InformationURL xml:lang="en">https://goc.egi.eu/portal/index.php?Page_Type=Site&amp;id=1024</mdui:InformationURL>
      </mdui:UIInfo>
    </md:Extensions>
 
 
    <md:AttributeConsumingService index="1">
      <md:ServiceName xml:lang="en">https://egi-cloud.pd.infn.it/dashboard</md:ServiceName>
      <md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
                             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                             isRequired="true"/>
      <md:RequestedAttribute FriendlyName="mail"
                             Name="urn:oid:0.9.2342.19200300.100.1.3"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             isRequired="true"/>
      <md:RequestedAttribute FriendlyName="name"
                             Name="urn:oid:2.16.840.1.113730.3.1.241"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             isRequired="false"/>
      <md:RequestedAttribute FriendlyName="entitlement" 
                             Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
                             NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
                             isRequired="false"/>
    </md:AttributeConsumingService>
 
  </md:SPSSODescriptor>
 
  <md:Organization>
    <md:OrganizationName xml:lang="en">INFN</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">EGI Fed-Cloud INFN-PD</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">https://goc.egi.eu/portal/index.php?Page_Type=Site&amp;id=1024</md:OrganizationURL>
  </md:Organization>
 
  <md:ContactPerson contactType="technical">
    <md:EmailAddress>cloud-support@lists.pd.infn.it</md:EmailAddress>
  </md:ContactPerson>
 
</md:EntityDescriptor>

In the file /etc/httpd/conf.d/wsgi-keystone.conf declare the following definitions:

<VirtualHost _default_:5000>



    <Location ~ "/v3/auth/OS-FEDERATION/websso/mapped">
        AuthType shibboleth
        Require shib-session
        ShibRequestSetting requireSession 1
        ShibExportAssertion Off
    </Location>

    <Location ~ /v3/OS-FEDERATION/identity_providers/wlifeaai/protocols/mapped/auth>
        AuthType shibboleth
        Require shib-session
        ShibRequestSetting requireSession 1
        ShibExportAssertion Off
    </Location>



</VirtualHost>

Configure the OS-Federation environment:

openstack group create wlife_group
openstack role add --group wlife_group --project wenmr _member_
openstack identity provider create --remote-id https://auth.west-life.eu/proxy/saml2/idp/metadata.php wlifeaai
openstack mapping create --rules /tmp/wlife_mapping.json wlife_mapping
openstack federation protocol create mapped --mapping wlife_mapping --identity-provider wlifeaai

the rule file, /tmp/wlife_mapping.json, contains the following definitions:

[
    {
        "local": [
            {
                "user": { "name": "{0}" },
                "group": {
                    "domain": { "name": "Default" },
                    "name": "wlife_group"
                }
            }
        ],
        "remote": [
            {
                "type": "eppn"
            }
        ]
    }
]

In the Keystone configuration file, /etc/keystone/keystone.conf, declare the following definitions:

[auth]
methods = external,password,token,oauth1,oidc,mapped
oidc = keystone.auth.plugins.mapped.Mapped

[oidc]
remote_id_attribute = HTTP_OIDC_ISS

[mapped]
remote_id_attribute = Shib-Identity-Provider

In the Horizon configuration file, /etc/openstack-dashboard/local_settings, define:

WEBSSO_ENABLED = True
WEBSSO_INITIAL_CHOICE = "credentials"

WEBSSO_CHOICES = (
    ("credentials", _("Keystone Credentials")),
    ("mapped", _("West-Life SSO")),
    ("oidc", _("INDIGO-DataCloud IAM"))
)

Restart all services:

systemctl enable shibd && systemctl start shibd
systemctl restart httpd

Send the metadata of the site to the West-Life Identity Provider, as described in West-Life SSO guide