This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
progetti:cloud-areapd:egi_federated_cloud:aai_integration:west-life_sso_integration [2018/04/24 10:04] andreett@infn.it |
progetti:cloud-areapd:egi_federated_cloud:aai_integration:west-life_sso_integration [2018/04/24 13:18] (current) andreett@infn.it |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | |||
+ | ====== West-Life SSO Integration ====== | ||
+ | |||
+ | ==== Shibboleth installation ==== | ||
+ | |||
+ | Install the required modules | ||
+ | <code bash> | ||
+ | wget -O / | ||
+ | yum -y install shibboleth | ||
+ | </ | ||
+ | |||
+ | Deploy the service certificate file in /// | ||
+ | Change the ownership and permissions for those files: | ||
+ | <code bash> | ||
+ | chmod 400 / | ||
+ | chmod 600 / | ||
+ | chown shibd.shibd / | ||
+ | chown shibd.shibd / | ||
+ | </ | ||
+ | |||
+ | The file /// | ||
+ | |||
+ | <code xml shibboleth2.xml> | ||
+ | < | ||
+ | xmlns: | ||
+ | xmlns: | ||
+ | xmlns: | ||
+ | xmlns: | ||
+ | clockSkew=" | ||
+ | |||
+ | < | ||
+ | | ||
+ | |||
+ | < | ||
+ | checkAddress=" | ||
+ | |||
+ | <SSO entityID=" | ||
+ | SAML2 SAML1 | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | | ||
+ | <Handler type=" | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | <Handler type=" | ||
+ | |||
+ | <Handler type=" | ||
+ | |||
+ | <Handler type=" | ||
+ | </ | ||
+ | |||
+ | <Errors supportContact=" | ||
+ | helpLocation="/ | ||
+ | styleSheet="/ | ||
+ | | ||
+ | < | ||
+ | uri=" | ||
+ | backingFilePath="/ | ||
+ | reloadInterval=" | ||
+ | |||
+ | < | ||
+ | |||
+ | < | ||
+ | |||
+ | < | ||
+ | |||
+ | < | ||
+ | </ | ||
+ | | ||
+ | < | ||
+ | |||
+ | < | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Create the metadata cache directory | ||
+ | <code bash> | ||
+ | mkdir -p / | ||
+ | chown shibd.shibd / | ||
+ | </ | ||
+ | |||
+ | Write the Service Metadata file in / | ||
+ | <code xml egi-cloud-metadata.xml> | ||
+ | < | ||
+ | | ||
+ | |||
+ | < | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | < | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | |||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Keystone service’s configuration ==== | ||
+ | |||
+ | In the file / | ||
+ | |||
+ | < | ||
+ | < | ||
+ | |||
+ | |||
+ | |||
+ | < | ||
+ | AuthType shibboleth | ||
+ | Require shib-session | ||
+ | ShibRequestSetting requireSession 1 | ||
+ | ShibExportAssertion Off | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | AuthType shibboleth | ||
+ | Require shib-session | ||
+ | ShibRequestSetting requireSession 1 | ||
+ | ShibExportAssertion Off | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | </ | ||
+ | |||
+ | Configure the OS-Federation environment: | ||
+ | <code bash> | ||
+ | openstack group create wlife_group | ||
+ | openstack role add --group wlife_group --project wenmr _member_ | ||
+ | openstack identity provider create --remote-id https:// | ||
+ | openstack mapping create --rules / | ||
+ | openstack federation protocol create mapped --mapping wlife_mapping --identity-provider wlifeaai | ||
+ | </ | ||
+ | |||
+ | the rule file, / | ||
+ | < | ||
+ | [ | ||
+ | { | ||
+ | " | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | } | ||
+ | ], | ||
+ | " | ||
+ | { | ||
+ | " | ||
+ | } | ||
+ | ] | ||
+ | } | ||
+ | ] | ||
+ | </ | ||
+ | |||
+ | In the Keystone configuration file, / | ||
+ | < | ||
+ | [auth] | ||
+ | methods = external, | ||
+ | oidc = keystone.auth.plugins.mapped.Mapped | ||
+ | |||
+ | [oidc] | ||
+ | remote_id_attribute = HTTP_OIDC_ISS | ||
+ | |||
+ | [mapped] | ||
+ | remote_id_attribute = Shib-Identity-Provider | ||
+ | </ | ||
+ | |||
+ | ==== Horizon configuration ==== | ||
+ | |||
+ | In the Horizon configuration file, / | ||
+ | < | ||
+ | WEBSSO_ENABLED = True | ||
+ | WEBSSO_INITIAL_CHOICE = " | ||
+ | |||
+ | WEBSSO_CHOICES = ( | ||
+ | (" | ||
+ | (" | ||
+ | (" | ||
+ | ) | ||
+ | </ | ||
+ | |||
+ | Restart all services: | ||
+ | <code bash> | ||
+ | systemctl enable shibd && systemctl start shibd | ||
+ | systemctl restart httpd | ||
+ | </ | ||
+ | |||
+ | ==== Register the site to the IdP ==== | ||
+ | |||
+ | Send the [[https:// | ||
+ | |||