Updated on 2022-08-16 GMT+08:00

SP Initiated

OpenStack and Shibboleth are widely used open-source federated identity authentication solutions. They provide powerful SSO capabilities and connect users to various applications both inside and outside enterprises. This section describes how to use OpenStackClient and Shibboleth ECP Client to obtain the federated authentication token.

Flowchart

The following figure shows the SP-initiated federation authentication process.

Figure 1 Flowchart (SP-initiated)

Description

  1. The client calls the API (federated token obtained in the SP-initiated mode) provided by the cloud system.
  2. The cloud system searches for the metadata file based on the user and IdP information in the URL and sends the SAML request to the client.
  3. The client encapsulates the SAML request and forwards the SAML request to the IdP.
  4. A user enters a username and password on the IdP server for identity authentication.
  5. After the user passes the authentication, IdP constructs an assertion carrying the user identity information and sends the SAML response. The response passes through the client.
  6. The client encapsulates the SAML response and forwards the SAML response to the cloud platform.
  7. The cloud platform verifies and authenticates the assertion, and generates a temporary access credential according to the identity conversion rule configured by users in the identity provider.
  8. Users can access cloud resources according to their permissions.

OpenStackClient

You must have permissions of user root to install the unified command-line client. To perform the following operations, you only need to have the permissions of a common user.

The API calling operation must be performed in a secure network environment (in a VPN or a cloud server of a domain). Otherwise, this operation may be under the man-in-the-middle (MITM) attack.

  1. Create an environment variable file under the installation directory of OpenStackClient. Modify the environment variable file in a text editor. Add parameters, such as the username, password, region, SAML protocol version, and the IP address and port number of IAM, to the file. Table 1 describes the parameters.

    For example:

    export OS_IDENTITY_API_VERSION=3

    export OS_AUTH_TYPE=v3samlpassword

    export OS_IDENTITY_PROVIDER=idpid

    export OS_PROTOCOL=saml

    export OS_IDENTITY_PROVIDER_URL=https://idp.example.com/idp/profile/SAML2/SOAP/ECP

    export OS_USERNAME=username

    export OS_PASSWORD=userpassword

    export OS_DOMAIN_NAME=example-domain-name

    Table 1 Parameter description

    Parameter

    Description

    OS_IDENTITY_API_VERSION

    Indicates the authentication API version. The value is fixed at 3.

    OS_AUTH_TYPE

    Indicates the authentication type. The value is fixed at v3samlpassword.

    OS_AUTH_URL

    Indicates the authentication URL. The value format is https://IAM IP address:Port number/API version.

    • Port number is fixed at 443.
    • API version is fixed at v3.

    OS_IDENTITY_PROVIDER

    Indicates the name of an identity provider created by a user in the cloud system. For example: Publiccloud-Shibboleth.

    OS_DOMAIN_NAME

    Indicates the domain name to be authenticated.

    OS_PROTOCOL

    Indicates the SAML protocol version. The value is fixed at saml.

    OS_IDENTITY_PROVIDER_URL

    Indicates the URL of the identity provider used to handle the authentication request initialized by the ECP.

    OS_USERNAME

    Indicates the name of a user who is authenticated in the identity provider.

    OS_PASSWORD

    Indicates the password of a user who is authenticated in the identity provider.

  2. Run the following command to set environment variables:

    source keystonerc

  3. Run the following command to obtain a token:

    openstack token issue

    >>openstack token issue 
    command: token issue -> openstackclient.identity.v3.token.IssueToken (auth=True)
    Using auth plugin: v3samlpassword
    +-----------------------------------------------------------------------------------------------------------
    | Field   | Value
    | expires | 2018-04-16T03:46:51+0000                              
    | id      | MIIDbQYJKoZIhvcNAQcCoIIDXjXXX...
    | user_id | 9B7CJy5ME14f0fQKhb6HJVQdpXXX...

    In the command output, id is the obtained federated authentication token.

Shibboleth ECP Client

  1. Configure the metadata-providers.xml file in Shibboleth IdP v3 and save the metadata.xml file in the corresponding path.

    <MetadataProvider id="LocalMetadata1"xsi:type="FilesystemMetadataProvider" metadataFile="C:\Program Files (x86)\Shibboleth\IdP\metadata\web_metadata.xml"/>
    <MetadataProvider id="LocalMetadata2"xsi:type="FilesystemMetadataProvider" metadataFile="C:\Program Files (x86)\Shibboleth\IdP\metadata\api_metadata.xml"/>
    • MetadataProvider id indicates the name of the downloaded metadata file of the SP system.
    • metadataFile indicates the path for storing the metadata file of the SP system in the enterprise IdP.

  2. Configure the attribute-filter.xml file in Shibboleth IdP v3.

    <afp:AttributeFilterPolicy id="example1">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://auth.example.com/" />
        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="uid">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>
    
    <afp:AttributeFilterPolicy id="example2">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://iam.{region_id}.example.com" />
        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="uid">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

    AttributeFilterPolicy id indicates the name of the downloaded metadata file of the SP system.

    value indicates the EntityID in the metadata file of the SP system.

  3. Configure the endpoint address of the enterprise IdP in the ecp.py script.

    # mapping from user friendly names or tags to IdP ECP enpoints
    IDP_ENDPOINTS = {
        "idp1": "https://idp.example.com/idp/profile/SAML2/SOAP/ECP"
    }

  4. Run the ecp.py script to obtain the federated authentication token.

    >>python ecp.py
    Usage: ecp.py [options] IdP_tag target_url login
    >>python ecp.py -d idp1 https://iam.{region_id}.example.com/v3/OS-FEDERATION/identity_providers/idp_example/protocols/saml/auth {username}
    X-Subject-Token: MIIDbQYJKoZIhvcNAQcCoIIDXXX...

    X-Subject-Token is the obtained federated authentication token.