Help Center/ Identity and Access Management/ API Reference (Kuala Lumpur Region)/ APIs/ Federated Identity Authentication Management/ Obtaining a Token in Federated Identity Authentication Mode/ SP Initiated

Updated on 2022-08-16 GMT+08:00

View PDF

SP Initiated

OpenStack and Shibboleth are widely used open-source federated identity authentication solutions. They provide powerful SSO capabilities and connect users to various applications both inside and outside enterprises. This section describes how to use OpenStackClient and Shibboleth ECP Client to obtain the federated authentication token.

Flowchart

The following figure shows the SP-initiated federation authentication process.

Figure 1 Flowchart (SP-initiated)
Click to enlarge

Description

The client calls the API (federated token obtained in the SP-initiated mode) provided by the cloud system.
The cloud system searches for the metadata file based on the user and IdP information in the URL and sends the SAML request to the client.
The client encapsulates the SAML request and forwards the SAML request to the IdP.
A user enters a username and password on the IdP server for identity authentication.
After the user passes the authentication, IdP constructs an assertion carrying the user identity information and sends the SAML response. The response passes through the client.
The client encapsulates the SAML response and forwards the SAML response to the cloud platform.
The cloud platform verifies and authenticates the assertion, and generates a temporary access credential according to the identity conversion rule configured by users in the identity provider.
Users can access cloud resources according to their permissions.

OpenStackClient

You must have permissions of user root to install the unified command-line client. To perform the following operations, you only need to have the permissions of a common user.

The API calling operation must be performed in a secure network environment (in a VPN or a cloud server of a domain). Otherwise, this operation may be under the man-in-the-middle (MITM) attack.

Create an environment variable file under the installation directory of OpenStackClient. Modify the environment variable file in a text editor. Add parameters, such as the username, password, region, SAML protocol version, and the IP address and port number of IAM, to the file. Table 1 describes the parameters.

For example:

export OS_IDENTITY_API_VERSION=3

export OS_AUTH_TYPE=v3samlpassword

export OS_IDENTITY_PROVIDER=idpid

export OS_PROTOCOL=saml

export OS_IDENTITY_PROVIDER_URL=https://idp.example.com/idp/profile/SAML2/SOAP/ECP

export OS_USERNAME=username

export OS_PASSWORD=userpassword

export OS_DOMAIN_NAME=example-domain-name

**Table 1** Parameter description
Parameter	Description
OS_IDENTITY_API_VERSION	Indicates the authentication API version. The value is fixed at 3.
OS_AUTH_TYPE	Indicates the authentication type. The value is fixed at v3samlpassword.
OS_AUTH_URL	Indicates the authentication URL. The value format is https://IAM IP address:Port number/API version. Port number is fixed at 443. API version is fixed at v3.
OS_IDENTITY_PROVIDER	Indicates the name of an identity provider created by a user in the cloud system. For example: Publiccloud-Shibboleth.
OS_DOMAIN_NAME	Indicates the domain name to be authenticated.
OS_PROTOCOL	Indicates the SAML protocol version. The value is fixed at saml.
OS_IDENTITY_PROVIDER_URL	Indicates the URL of the identity provider used to handle the authentication request initialized by the ECP.
OS_USERNAME	Indicates the name of a user who is authenticated in the identity provider.
OS_PASSWORD	Indicates the password of a user who is authenticated in the identity provider.

Run the following command to set environment variables:

source keystonerc

Run the following command to obtain a token:

openstack token issue

>>openstack token issue 
command: token issue -> openstackclient.identity.v3.token.IssueToken (auth=True)
Using auth plugin: v3samlpassword
+-----------------------------------------------------------------------------------------------------------
| Field   | Value
| expires | 2018-04-16T03:46:51+0000                              
| id      | MIIDbQYJKoZIhvcNAQcCoIIDXjXXX...
| user_id | 9B7CJy5ME14f0fQKhb6HJVQdpXXX...

In the command output, id is the obtained federated authentication token.

Shibboleth ECP Client

Configure the metadata-providers.xml file in Shibboleth IdP v3 and save the metadata.xml file in the corresponding path.

<MetadataProvider id="LocalMetadata1"xsi:type="FilesystemMetadataProvider" metadataFile="C:\Program Files (x86)\Shibboleth\IdP\metadata\web_metadata.xml"/>
<MetadataProvider id="LocalMetadata2"xsi:type="FilesystemMetadataProvider" metadataFile="C:\Program Files (x86)\Shibboleth\IdP\metadata\api_metadata.xml"/>

MetadataProvider id indicates the name of the downloaded metadata file of the SP system.
metadataFile indicates the path for storing the metadata file of the SP system in the enterprise IdP.

Configure the attribute-filter.xml file in Shibboleth IdP v3.

<afp:AttributeFilterPolicy id="example1">
    <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://auth.example.com/" />
    <afp:AttributeRule attributeID="eduPersonPrincipalName">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>
    <afp:AttributeRule attributeID="uid">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>
    <afp:AttributeRule attributeID="mail">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>
</afp:AttributeFilterPolicy>

<afp:AttributeFilterPolicy id="example2">
    <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://iam.{region_id}.example.com" />
    <afp:AttributeRule attributeID="eduPersonPrincipalName">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>
    <afp:AttributeRule attributeID="uid">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>
    <afp:AttributeRule attributeID="mail">
        <afp:PermitValueRule xsi:type="basic:ANY" />
    </afp:AttributeRule>
</afp:AttributeFilterPolicy>

AttributeFilterPolicy id indicates the name of the downloaded metadata file of the SP system.

value indicates the EntityID in the metadata file of the SP system.

Configure the endpoint address of the enterprise IdP in the ecp.py script.

# mapping from user friendly names or tags to IdP ECP enpoints
IDP_ENDPOINTS = {
    "idp1": "https://idp.example.com/idp/profile/SAML2/SOAP/ECP"
}

Run the ecp.py script to obtain the federated authentication token.

>>python ecp.py
Usage: ecp.py [options] IdP_tag target_url login
>>python ecp.py -d idp1 https://iam.{region_id}.example.com/v3/OS-FEDERATION/identity_providers/idp_example/protocols/saml/auth {username}
X-Subject-Token: MIIDbQYJKoZIhvcNAQcCoIIDXXX...

X-Subject-Token is the obtained federated authentication token.

Parent topic: Obtaining a Token in Federated Identity Authentication Mode

Previous topic: Obtaining a Token in Federated Identity Authentication Mode

Next topic: IdP Initiated

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot