OpenStack Keystone Authentication using Active Directory Federation Service (ADFS)

In earlier OpenStack Keystone configuration blogs we discussed how to setup Keystone authentication using LDAP and using Active Directory. As an extension of this OpenStack Keystone tutorial series on directory services, this tutorial will give an overview of configuring Keystone SSO with Active Directory Federation Services (ADFS).

Microsoft Active Directory manages user identities to secure access to devices registered on a Windows domain. It can also provide Single Sign-On (SSO) access to internal corporate applications. ADFS extends this ability to authenticate users on third-party systems that are external to the corporate network. SaaS and other web-based applications typically require their own user accounts, and ADFS ties those usernames and passwords to existing corporate identities based on Windows credentials.

ADFS and Keystone Configuration

Installing ADFS itself is beyond the scope of this blog, but detailed instructions are available on Microsoft Technet  Prerequisites for ADFS , ADFS installation procedure  Once you have ADFS installed, you can follow the steps below to enable SSO.

Configuring ADFS as an Identity Provider (IdP)

  1. Ensure the ADFS Server trusts the service provider’s (SP) keystone certificate.
  2. In the ADFS Management Console, choose Add Relying Party Trust.
  3. Select Import data about the relying party and enter the URL for the SP Metadata e.g. https://:5000/Shibboleth.sso/Metadata)
  4. Continuing the wizard, select Permit all users to access this relying party.
  5. In the Add Transform Claim Rule Wizard, select Pass Through or Filter an Incoming Claim.
  6. Name the rule and select the UPN Incoming claim type.
  7. Click OK to apply the rule and finalize the setup.

Configure Keystone Service to Use ADFS as an Identity Provider

Follow the steps in the Keystone Federation setup blog to configure the Service Provider Keystone. As a reminder, Keystone has to be run under Apache and the Shibboleth plugin installed to configure SAML.

In the Shibboleth configuration file at /etc/shibboleth/shibboleth2.xml, set the entityId to point to ADFS and target URL to point to the main portal on Horizon’s dashboard. This will redirect the browser to the login page after ADFS has authenticated a user.

[code lang=”XML”]

Keystone Authentication using AD
Keystone Authentication using LDAP
Keystone Single Sign-on Setup
Keystone Federation Setup


You may also enjoy

Kubernetes FinOps: Right-sizing Kubernetes workloads

By Joe Thompson

VMware vs OpenStack: Why OpenStack is the better VMware alternative in 2024

By Kamesh Pemmaraju

The browser you are using is outdated. For the best experience please download or update your browser to one of the following:

State of Kubernetes FinOps Survey – Win 13 prizes including a MacBook Air.Start Now