Updated on 2022-05-24 GMT+08:00

SP Initiated

OpenStack and Shibboleth are popular open-source solutions for federated identity authentication. They provide powerful SSO capabilities to connect users to internal and external enterprise applications. This section describes how to use OpenStackClient and Shibboleth ECP Client to obtain a federated authentication token.

Flowchart

The following figure shows the process of SP-initiated federation authentication.

Figure 1 Flowchart (SP-initiated)

Description

  1. The client calls the API used to obtain a federated token in SP-initiated mode.
  2. The cloud platform searches for a metadata file based on the user and IdP information in the URL and sends a SAML request to the client.
  3. The client encapsulates the SAML request and forwards the request to the IdP.
  4. A user enters a username and password on the IdP server for identity authentication.
  5. After authenticating the user, IdP constructs an assertion carrying the user identity information and sends a SAML response to the client.
  6. The client encapsulates the SAML response and forwards the response to the cloud platform.
  7. The cloud platform verifies and authenticates the assertion, and generates a temporary access credential according to the identity conversion rules of the user configured for the identity provider.
  8. The user can access public cloud resources based on assigned permissions.

OpenStackClient

OpenStackClient is a command-line client that can be installed only by a user with root permissions. Configuration of this client requires only common user permissions.

Call APIs in a secure network environment (in a VPN or cloud server). Otherwise, you may encounter man-in-the-middle (MITM) attacks.

  1. Create an environment variable file in the installation directory of OpenStackClient, and add the username, password, region, SAML protocol version, and IAM address in the file. Table 1 describes the parameters.

    For example:

    export OS_IDENTITY_API_VERSION=3

    export OS_AUTH_TYPE=v3samlpassword

    export OS_AUTH_URL=https://example:443/v3

    export OS_IDENTITY_PROVIDER=idpid

    export OS_PROTOCOL=saml

    export OS_IDENTITY_PROVIDER_URL=https://idp.example.com/idp/profile/SAML2/SOAP/ECP

    export OS_USERNAME=username

    export OS_PASSWORD=userpassword

    export OS_DOMAIN_NAME=example-domain-name

    Table 1 Parameter description

    Parameter

    Description

    OS_IDENTITY_API_VERSION

    Authentication API version. The value is fixed at 3.

    OS_AUTH_TYPE

    Authentication type. The value is fixed at v3samlpassword.

    OS_AUTH_URL

    Authentication URL. The value format is https://IAM _address:Port_number/API_version.

    • Port_number is fixed at 443.
    • API_version is fixed at v3.

    OS_IDENTITY_PROVIDER

    Name of an identity provider created on the cloud platform. For example: Publiccloud-Shibboleth.

    OS_DOMAIN_NAME

    Name of the account to be authenticated

    OS_PROTOCOL

    SAML protocol version. The value is fixed at saml.

    OS_IDENTITY_PROVIDER_URL

    URL of the identity provider used to handle the authentication requests initiated by ECP

    OS_USERNAME

    Name of a user authenticated using the identity provider

    OS_PASSWORD

    Password of the user

  2. Run the following command to set environment variables:

    source keystonerc

  3. Run the following command to obtain a token:

    openstack token issue

    >>openstack token issue 
    command: token issue -> openstackclient.identity.v3.token.IssueToken (auth=True)
    Using auth plugin: v3samlpassword
    +-----------------------------------------------------------------------------------------------------------
    | Field   | Value
    | expires | 2018-04-16T03:46:51+0000                              
    | id      | MIIDbQYJKoZIhvcNAQcCoIIDXjXXX...
    | user_id | 9B7CJy5ME14f0fQKhb6HJVQdpXXX...

    In the command output, id is the obtained federated authentication token.

Shibboleth ECP Client

  1. Configure the metadata-providers.xml files in Shibboleth IdP v3 and place them in the corresponding path.

    <MetadataProvider id="LocalMetadata1"xsi:type="FilesystemMetadataProvider" metadataFile="C:\Program Files (x86)\Shibboleth\IdP\metadata\web_metadata.xml"/>
    <MetadataProvider id="LocalMetadata2"xsi:type="FilesystemMetadataProvider" metadataFile="C:\Program Files (x86)\Shibboleth\IdP\metadata\api_metadata.xml"/>
    • MetadataProvider id indicates the name of the downloaded metadata file of the SP system.
    • metadataFile indicates the path for storing the metadata file of the SP system in the IdP system.

  2. Configure the attribute-filter.xml file in Shibboleth IdP v3.

    <afp:AttributeFilterPolicy id="example1">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://auth.example.com/" />
        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="uid">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>
    
    <afp:AttributeFilterPolicy id="example2">
        <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://iam.{region_id}.example.com" />
        <afp:AttributeRule attributeID="eduPersonPrincipalName">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="uid">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

    AttributeFilterPolicy id indicates the name of the downloaded metadata file of the SP system.

    value indicates the EntityID in the metadata file of the SP system.

  3. Configure the endpoint of the IdP system in the ecp.py script.

    # mapping from user friendly names or tags to IdP ECP enpoints
    IDP_ENDPOINTS = {
        "idp1": "https://idp.example.com/idp/profile/SAML2/SOAP/ECP"
    }

  4. Run the ecp.py script to obtain a federated authentication token.

    >>python ecp.py
    Usage: ecp.py [options] IdP_tag target_url login
    >>python ecp.py -d idp1 https://iam.{region_id}.example.com/v3/OS-FEDERATION/identity_providers/idp_example/protocols/saml/auth {username}
    X-Subject-Token: MIIDbQYJKoZIhvcNAQcCoIIDXXX...

    X-Subject-Token is the obtained federated authentication token.