[keystone] adfs SingleSignOn with CLI/API?

Colleen Murphy colleen at gazlene.net
Mon Feb 11 14:19:51 UTC 2019


Hi Fabian,

On Mon, Feb 11, 2019, at 12:58 PM, Fabian Zimmermann wrote:
> Hi,
> 
> Im currently trying to implement some way to do a SSO against our 
> ActiveDirectory. I already tried SAMLv2 and OpenID Connect.
> 
> Im able to sign in via Horizon, but im unable to find a working way on cli.
> 
> Already tried v3adfspassword and v3oidcpassword, but im unable to get 
> them working.
> 
> Any hints / links / docs where to find more information?
> 
> Anyone using this kind of setup and willing to share KnowHow?
> 
> Thanks a lot,
> 
>  Fabian Zimmermann

We have an example of authenticating with the CLI here:

https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#authenticating

That only covers the regular SAML2.0 ECP type of authentication, which I guess won't work with ADFS, and we seem to have zero ADFS-specific documentation.

>From the keystoneauth plugin code, it looks like you need to set identity-provider-url, service-provider-endpoint, service-provider-entity-id, username, password, identity-provider, and protocol (I'm getting that from the loader classes[1][2]). Is that the information you're looking for, or can you give more details on what specifically isn't working?

Colleen

[1] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/identity.py#n104
[2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/extras/_saml2/_loading.py#n45



More information about the openstack-discuss mailing list