Forwarding back to list On Mon, Feb 11, 2019, at 5:11 PM, Blake Covarrubias wrote:
On Feb 11, 2019, at 6:19 AM, Colleen Murphy <colleen@gazlene.net> wrote:
Hi Fabian,
On Mon, Feb 11, 2019, at 12:58 PM, Fabian Zimmermann wrote:
Hi,
Im currently trying to implement some way to do a SSO against our ActiveDirectory. I already tried SAMLv2 and OpenID Connect.
Im able to sign in via Horizon, but im unable to find a working way on cli.
Already tried v3adfspassword and v3oidcpassword, but im unable to get them working.
Any hints / links / docs where to find more information?
Anyone using this kind of setup and willing to share KnowHow?
Thanks a lot,
Fabian Zimmermann
We have an example of authenticating with the CLI here:
https://docs.openstack.org/keystone/latest/admin/federation/configure_federa...
That only covers the regular SAML2.0 ECP type of authentication, which I guess won't work with ADFS, and we seem to have zero ADFS-specific documentation.
From the keystoneauth plugin code, it looks like you need to set identity-provider-url, service-provider-endpoint, service-provider-entity-id, username, password, identity-provider, and protocol (I'm getting that from the loader classes[1][2]). Is that the information you're looking for, or can you give more details on what specifically isn't working?
Colleen
[1] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/load... [2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/extr...
Fabian,
To add a bit more info, the AD FS plugin essentially uses IdP-initiated sign-on. The identity provider URL is where the initial authentication request to AD FS will be sent. An example of this would be https://HOSTNAME/adfs/services/trust/13/usernamemixed <https://hostname/adfs/services/trust/13/usernamemixed>. The service provider’s entity ID must also be sent in the request so that AD FS knows which Relying Party Trust to associate with the request.
AD FS will provide a SAML assertion upon successful authentication. The service provider endpoint is the URL of the Assertion Consumer Service. If you’re using Shibboleth on the SP, this would be https://HOSTNAME/Shibboleth.sso/ADFS <https://hostname/Shibboleth.sso/ADFS>.
Note: The service-provider-entity-id can be omitted if it is the same value as the service-provider-endpoint (or Assertion Consumer Service URL).
Hope this helps.
— Blake Covarrubias