In earlier OpenStack Keystone configuration blogs we discussed how to setup Keystone authentication using LDAP and using Active Directory. As an extension of this OpenStack Keystone tutorial series on directory services, this tutorial will give an overview of configuring Keystone SSO with Active Directory Federation Services (ADFS).

Microsoft Active Directory manages user identities to secure access to devices registered on a Windows domain. It can also provide Single Sign-On (SSO) access to internal corporate applications. ADFS extends this ability to authenticate users on third-party systems that are external to the corporate network. SaaS and other web-based applications typically require their own user accounts, and ADFS ties those usernames and passwords to existing corporate identities based on Windows credentials.

ADFS and Keystone Configuration

Installing ADFS itself is beyond the scope of this blog, but detailed instructions are available on Microsoft Technet  Prerequisites for ADFS , ADFS installation procedure  Once you have ADFS installed, you can follow the steps below to enable SSO.

Configuring ADFS as an Identity Provider (IdP)

1. Ensure the ADFS Server trusts the service provider’s (SP) keystone certificate.
2. In the ADFS Management Console, choose Add Relying Party Trust.
3. Select Import data about the relying party and enter the URL for the SP Metadata e.g. https://:5000/Shibboleth.sso/Metadata)
4. Continuing the wizard, select Permit all users to access this relying party.
5. In the Add Transform Claim Rule Wizard, select Pass Through or Filter an Incoming Claim.
6. Name the rule and select the UPN Incoming claim type.
7. Click OK to apply the rule and finalize the setup.

Configure Keystone Service to Use ADFS as an Identity Provider

Follow the steps in the Keystone Federation setup blog to configure the Service Provider Keystone. As a reminder, Keystone has to be run under Apache and the Shibboleth plugin installed to configure SAML.

In the Shibboleth configuration file at /etc/shibboleth/shibboleth2.xml, set the entityId to point to ADFS and target URL to point to the main portal on Horizon’s dashboard. This will redirect the browser to the login page after ADFS has authenticated a user.

    
        
      

              SAML2 SAML1

      

With this setup, when the user visits the Horizon login page, she can enter the AD credentials and will be logged in to the OpenStack dashboard.

Check out some of the blogs below on other possible configurations for Keystone.
Keystone Authentication using AD
Keystone Authentication using LDAP
Keystone Single Sign-on Setup
Keystone Federation Setup

• Author
• Recent Posts

Platform9

Platform9 is the only container management and orchestration solution that supports the complete lifecycle of the cloud-native journey on infrastructure anywhere. Our unique management plane simplifies operations, including observability & monitoring, increases uptime, minimizes costs, and scales as you scale. Built on open foundations, our platform enables enterprises to keep up with the ever-changing cloud-native ecosystem. Our cloud-native wizards provide Always-on Assurance™ every step of the way to ensure a smooth, simplified journey. Innovative enterprises like Juniper, Kingfisher Plc, Mavenir, Redfin, and Cloudera achieve 4x faster time-to-market, up to 90% reduction in operational costs, and 99.99% uptime.Platform9 is a better way to go cloud native, paving the way for an open distributed cloud

Latest posts by Platform9 (see all)

• Beyond Kubernetes Operations: Discover Platform9’s Always-On Assurance™ - November 29, 2023
• Platform9 Introduces Elastic Machine Pool (EMP) at KubeCon 2023 to Optimize Costs on AWS EKS - November 15, 2023
• KubeCon 2023 Through Platform9’s Lens: Key Takeaways and Innovative Demos - November 14, 2023