In earlier OpenStack Keystone configuration blogs we discussed how to setup Keystone authentication using LDAP and using Active Directory. As an extension of this OpenStack Keystone tutorial series on directory services, this tutorial will give an overview of configuring Keystone SSO with Active Directory Federation Services (ADFS).
Microsoft Active Directory manages user identities to secure access to devices registered on a Windows domain. It can also provide Single Sign-On (SSO) access to internal corporate applications. ADFS extends this ability to authenticate users on third-party systems that are external to the corporate network. SaaS and other web-based applications typically require their own user accounts, and ADFS ties those usernames and passwords to existing corporate identities based on Windows credentials.
ADFS and Keystone Configuration
Installing ADFS itself is beyond the scope of this blog, but detailed instructions are available on Microsoft Technet Prerequisites for ADFS , ADFS installation procedure Once you have ADFS installed, you can follow the steps below to enable SSO.
Configuring ADFS as an Identity Provider (IdP)
- Ensure the ADFS Server trusts the service provider’s (SP) keystone certificate.
- In the ADFS Management Console, choose Add Relying Party Trust.
- Select Import data about the relying party and enter the URL for the SP Metadata e.g. https://:5000/Shibboleth.sso/Metadata)
- Continuing the wizard, select Permit all users to access this relying party.
- In the Add Transform Claim Rule Wizard, select Pass Through or Filter an Incoming Claim.
- Name the rule and select the UPN Incoming claim type.
- Click OK to apply the rule and finalize the setup.
Configure Keystone Service to Use ADFS as an Identity Provider
Follow the steps in the Keystone Federation setup blog to configure the Service Provider Keystone. As a reminder, Keystone has to be run under Apache and the Shibboleth plugin installed to configure SAML.
In the Shibboleth configuration file at /etc/shibboleth/shibboleth2.xml, set the entityId to point to ADFS and target URL to point to the main portal on Horizon’s dashboard. This will redirect the browser to the login page after ADFS has authenticated a user.
<SPConfig> <ApplicationDefaults entityID="https://<<FQDN>>/keystone"> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="false" cookieProps="https"> <SSO entityID="<<SSO_ENTITY_ID>>" target="https://<<FQDN>>/clarity/#/signin/sso"> SAML2 SAML1 </SSO> </ApplicationDefaults> </SPConfig>
With this setup, when the user visits the Horizon login page, she can enter the AD credentials and will be logged in to the OpenStack dashboard.
Check out some of the blogs below on other possible configurations for Keystone.
Keystone Authentication using AD
Keystone Authentication using LDAP
Keystone Single Sign-on Setup
Keystone Federation Setup