SP Initiated
OpenStack and Shibboleth are popular open-source solutions for federated identity authentication. They provide powerful SSO capabilities to connect users to internal and external enterprise applications. This section describes how to use OpenStackClient and Shibboleth ECP Client to obtain a federated authentication token.
Flowchart
The following figure shows the process of SP-initiated federation authentication.
Description
- The client calls the API used to obtain a federated token in SP-initiated mode.
- The cloud platform searches for a metadata file based on the user and IdP information in the URL and sends a SAML request to the client.
- The client encapsulates the SAML request and forwards the request to the IdP.
- A user enters a username and password on the IdP server for identity authentication.
- After authenticating the user, IdP constructs an assertion carrying the user identity information and sends a SAML response to the client.
- The client encapsulates the SAML response and forwards the response to the cloud platform.
- The cloud platform verifies and authenticates the assertion, and generates a temporary access credential according to the identity conversion rules of the user configured for the identity provider.
- The user can access public cloud resources based on assigned permissions.
OpenStackClient
OpenStackClient is a command-line client that can be installed only by a user with root permissions. Configuration of this client requires only common user permissions.
Call APIs in a secure network environment (in a VPN or cloud server). Otherwise, you may encounter man-in-the-middle (MITM) attacks.
- Create an environment variable file in the installation directory of OpenStackClient, and add the username, password, region, SAML protocol version, and IAM address in the file. Table 1 describes the parameters.
For example:
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_TYPE=v3samlpassword
export OS_AUTH_URL=https://example:443/v3
export OS_IDENTITY_PROVIDER=idpid
export OS_PROTOCOL=saml
export OS_IDENTITY_PROVIDER_URL=https://idp.example.com/idp/profile/SAML2/SOAP/ECP
export OS_USERNAME=username
export OS_PASSWORD=userpassword
export OS_DOMAIN_NAME=example-domain-name
Table 1 Parameter description Parameter
Description
OS_IDENTITY_API_VERSION
Authentication API version. The value is fixed at 3.
OS_AUTH_TYPE
Authentication type. The value is fixed at v3samlpassword.
OS_AUTH_URL
Authentication URL. The value format is https://IAM _address:Port_number/API_version.
- Port_number is fixed at 443.
- API_version is fixed at v3.
OS_IDENTITY_PROVIDER
Name of an identity provider created on the cloud platform. For example: Publiccloud-Shibboleth.
OS_DOMAIN_NAME
Name of the account to be authenticated
OS_PROTOCOL
SAML protocol version. The value is fixed at saml.
OS_IDENTITY_PROVIDER_URL
URL of the identity provider used to handle the authentication requests initiated by ECP
OS_USERNAME
Name of a user authenticated using the identity provider
OS_PASSWORD
Password of the user
- Run the following command to set environment variables:
source keystonerc
- Run the following command to obtain a token:
openstack token issue
>>openstack token issue command: token issue -> openstackclient.identity.v3.token.IssueToken (auth=True) Using auth plugin: v3samlpassword +----------------------------------------------------------------------------------------------------------- | Field | Value | expires | 2018-04-16T03:46:51+0000 | id | MIIDbQYJKoZIhvcNAQcCoIIDXjXXX... | user_id | 9B7CJy5ME14f0fQKhb6HJVQdpXXX...
In the command output, id is the obtained federated authentication token.
Shibboleth ECP Client
- Configure the metadata-providers.xml files in Shibboleth IdP v3 and place them in the corresponding path.
<MetadataProvider id="LocalMetadata1"xsi:type="FilesystemMetadataProvider" metadataFile="C:\Program Files (x86)\Shibboleth\IdP\metadata\web_metadata.xml"/> <MetadataProvider id="LocalMetadata2"xsi:type="FilesystemMetadataProvider" metadataFile="C:\Program Files (x86)\Shibboleth\IdP\metadata\api_metadata.xml"/>
- MetadataProvider id indicates the name of the downloaded metadata file of the SP system.
- metadataFile indicates the path for storing the metadata file of the SP system in the IdP system.
- Configure the attribute-filter.xml file in Shibboleth IdP v3.
<afp:AttributeFilterPolicy id="example1"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://auth.example.com/" /> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="uid"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="mail"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> <afp:AttributeFilterPolicy id="example2"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://iam.{region_id}.example.com" /> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="uid"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="mail"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy>
AttributeFilterPolicy id indicates the name of the downloaded metadata file of the SP system.
value indicates the EntityID in the metadata file of the SP system.
- Configure the endpoint of the IdP system in the ecp.py script.
# mapping from user friendly names or tags to IdP ECP enpoints IDP_ENDPOINTS = { "idp1": "https://idp.example.com/idp/profile/SAML2/SOAP/ECP" }
- Run the ecp.py script to obtain a federated authentication token.
>>python ecp.py Usage: ecp.py [options] IdP_tag target_url login >>python ecp.py -d idp1 https://iam.{region_id}.example.com/v3/OS-FEDERATION/identity_providers/idp_example/protocols/saml/auth {username} X-Subject-Token: MIIDbQYJKoZIhvcNAQcCoIIDXXX...
X-Subject-Token is the obtained federated authentication token.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.