The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
AAI guide for OpenStack
WIP!
Overview
This wiki page contains information about enabling federated access to OpenStack cloud providers through the EGI AAI CheckIn service. While the AAI guide for Service Providers contain the general instructions that apply to any services registered with CheckIn, in this guide we detais the specifics for enabling support for OpenID Connect using CheckIn as OpenID Provider (OP)
The integration of new service providers into the EGI CheckIn is a two-step process:
- Step 1. ' Register your Service Provider and test integration with the development instance of EGI CheckIn. The development instance allows for testing authentication and authorisation without affecting the production CheckIn service. Note that the development instance is not connected to the production service and no information is shared between the two systems. However, the development instance has identical functionality, with the exception that the list of supported Identity Providers is limited. Therefore, we recommend using the EGI SSO or any of the social identity providers to test the login workflow when using the development instance.
- Step 2. Register your Service Provider with the production instance of EGI CheckIn to allow members of the EGI User Community to access your service. This requires that your service meets all the eligibility criteria and that integration has been thoroughly tested during Step 1.
Registration into CheckIn development instance
Client registration
Before your service can use the EGI CheckIn OIDC Provider for user login, you must set up a client at https://aai-dev.egi.eu/oidc/manage/#admin/clients in order to obtain OAuth 2.0 credentials and register one or more redirect URIs.
Make sure that you fill in the following options:
- Main tab:
- Set redirect URL to
https://<your keystone endpoint>/v3/auth/OS-FEDERATION/websso/oidc/redirect. Recent versions of OpenStack deploy Keystone at/identity/, be sure to include that in the<your keystone endpoint>part of the URL if needed.
- Set redirect URL to
- Access tab:
- Enable authorization code in the grant type
- Enable Introspection Allow calls to the Introspection Endpoint?
Once done, you will get a client id and client secret. Save them for the following steps
Keystone setup
Pre-requisites
- Keystone must run as a WSGI application behind an HTTP server (Apache is used in this documentation, but any server should be possible if it has OpenID connect/OAuth2.0 support). Keystone project has deprecated eventlet, so you should be already running Keystone in such way.
- It is highly recommended that you run Keystone with SSL
- Install mod_auth_openidc for adding support for OpenID Connect to Apache.
Apache Configuration
Include this configuration on the Apache config for the virtual host of your Keystone service, using the client id and secret obtained above:
OIDCResponseType "code"
OIDCClaimPrefix "OIDC-"
OIDCClaimDelimiter ;
OIDCScope "openid"
OIDCProviderMetadataURL https://aai-dev.egi.eu/oidc/.well-known/openid-configuration
OIDCClientID <client id>
OIDCClientSecret <client secret>
OIDCCryptoPassphrase <some crypto pass phrase>
OIDCRedirectURI https://<your keystone endpoint>/v3/auth/OS-FEDERATION/websso/oidc/redirect
# OAuth for CLI access
OIDCOAuthIntrospectionEndpoint https://aai-dev.egi.eu/oidc/introspect
OIDCOAuthClientID <client id>
OIDCOAuthClientSecret <client secret>
<Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
AuthType openid-connect
Require valid-user
</Location>
<Location ~ "/v3/OS-FEDERATION/identity_providers/egi.eu/protocols/oidc/auth">
Authtype oauth20
Require valid-user
</Location>
Be sure to enable the mod_auth_oidc module in Apache, in Ubuntu:
sudo a2enmod auth_openidc
Keystone Configuration
Configure your keystone.conf to include in the [auth]</cod> section oidc in the list of authentication methods and the keystone.auth.plugins.mapped.Mapped class for its implementation:
[auth]
# This may change in your installation, add oidc to the list of the methods you support
methods = password, token, oidc
# OIDC is basically mapped auth method
oidc = keystone.auth.plugins.mapped.Mapped
Add a [oidc] section as follows:
[oidc]
# this is the attribute in the Keystone environment that will define the identity provider
remote_id_attribute = HTTP_OIDC_ISS
Now restart your Apache (and Keystone if running in uwsgi) so you can configure the Keystone Federation support.
Keystone Federation Support
First, create a new egi.eu identity provider with remote id https://aai-dev.egi.eu/oidc/:
$ openstack identity provider create --remote-id https://aai-dev.egi.eu/oidc/ egi.eu
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | 1cac7817dafb4740a249cc9ca6b14ea5 |
| enabled | True |
| id | egi.eu |
| remote_ids | https://aai-dev.egi.eu/oidc/ |
+-------------+----------------------------------+
Create a group for users coming from EGI CheckIn, you should have one group per VO you want to support.
$ openstack group create ops
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| id | 89cf5b6708354094942d9d16f0f29f8f |
| name | ops |
+-------------+----------------------------------+
Define a mapping of users from EGI CheckIn to the group just created and restrict with the OIDC-edu_person_entitlements the VOs you want to support for that group. Substitute the group id and the allowed entitlements for the adequate values for your deployment:
$ cat mapping.egi.json
[
{
"local": [
{
"user": {
"name": "{0}"
},
"group": {
"id": "89cf5b6708354094942d9d16f0f29f8f"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_SUB"
},
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://aai-dev.egi.eu/oidc/"
]
},
{
"type": "OIDC-edu_person_entitlements",
"any_one_of": [
"urn:mace:egi.eu:www.egi.eu:fc-federated-aai:member@egi.eu"
]
}
]
}
]
Create the mapping in Keystone:
$ openstack mapping create --rules mapping.egi.json egi-mapping
+-------+-------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------+-------------------------------------------------------------------------------------------------------------------------------------+
| id | egi-mapping |
| rules | [{u'remote': [{u'type': u'HTTP_OIDC_SUB'}, {u'type': u'HTTP_OIDC_ISS', u'any_one_of': [u'https://aai-dev.egi.eu/oidc/']}, {u'type': |
| | u'OIDC-edu_person_entitlements', u'any_one_of': [u'urn:mace:egi.eu:www.egi.eu:fc-federated-aai:member@egi.eu']}], u'local': |
| | [{u'group': {u'id': u'89cf5b6708354094942d9d16f0f29f8f'}, u'user': {u'name': u'{0}'}}]}] |
+-------+-------------------------------------------------------------------------------------------------------------------------------------+
Finally, create the federated protocol with the identity provider and mapping created before:
$ openstack federation protocol create --identity-provider egi.eu --mapping egi-mapping oidc
+-------------------+-------------+
| Field | Value |
+-------------------+-------------+
| id | oidc |
| identity_provider | egi.eu |
| mapping | egi-mapping |
+-------------------+-------------+
Horizon Configuration