Re: [keystone] adfs SingleSignOn with CLI/API?
Forwarding back to list On Mon, Feb 11, 2019, at 5:11 PM, Blake Covarrubias wrote:
On Feb 11, 2019, at 6:19 AM, Colleen Murphy <colleen@gazlene.net> wrote:
Hi Fabian,
On Mon, Feb 11, 2019, at 12:58 PM, Fabian Zimmermann wrote:
Hi,
Im currently trying to implement some way to do a SSO against our ActiveDirectory. I already tried SAMLv2 and OpenID Connect.
Im able to sign in via Horizon, but im unable to find a working way on cli.
Already tried v3adfspassword and v3oidcpassword, but im unable to get them working.
Any hints / links / docs where to find more information?
Anyone using this kind of setup and willing to share KnowHow?
Thanks a lot,
Fabian Zimmermann
We have an example of authenticating with the CLI here:
https://docs.openstack.org/keystone/latest/admin/federation/configure_federa...
That only covers the regular SAML2.0 ECP type of authentication, which I guess won't work with ADFS, and we seem to have zero ADFS-specific documentation.
From the keystoneauth plugin code, it looks like you need to set identity-provider-url, service-provider-endpoint, service-provider-entity-id, username, password, identity-provider, and protocol (I'm getting that from the loader classes[1][2]). Is that the information you're looking for, or can you give more details on what specifically isn't working?
Colleen
[1] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/load... [2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/extr...
Fabian,
To add a bit more info, the AD FS plugin essentially uses IdP-initiated sign-on. The identity provider URL is where the initial authentication request to AD FS will be sent. An example of this would be https://HOSTNAME/adfs/services/trust/13/usernamemixed <https://hostname/adfs/services/trust/13/usernamemixed>. The service provider’s entity ID must also be sent in the request so that AD FS knows which Relying Party Trust to associate with the request.
AD FS will provide a SAML assertion upon successful authentication. The service provider endpoint is the URL of the Assertion Consumer Service. If you’re using Shibboleth on the SP, this would be https://HOSTNAME/Shibboleth.sso/ADFS <https://hostname/Shibboleth.sso/ADFS>.
Note: The service-provider-entity-id can be omitted if it is the same value as the service-provider-endpoint (or Assertion Consumer Service URL).
Hope this helps.
— Blake Covarrubias
Hi, thanks for the fast answers. I asked our ADFS Administrators if they could provide some logs to see whats going wrong, but they are unable to deliver these. So I installed keycloak and switched to OpenID Connect. Im (again) able to connect via Horizon SSO, but when I try to use v3oidcpassword in the CLI Im running into https://bugs.launchpad.net/python-openstackclient/+bug/1648580 I already added the suggested --os-client-secret without luck. Updating to latest python-versions.. pip install -U python-keystoneclient pip install -U python-openstackclient didnt change anything. Any ideas what to try next? Offtopic: Seems like https://groups.google.com/forum/#!topic/mod_auth_openidc/qGE1DGQCTMY is right. I had to change the RedirectURI to geht OpenIDConnect working with Keystone. The sample config of https://docs.openstack.org/keystone/rocky/advanced-topics/federation/websso.... is *not working for me* Fabian Am 11.02.19 um 17:18 schrieb Colleen Murphy:
Forwarding back to list
On Mon, Feb 11, 2019, at 5:11 PM, Blake Covarrubias wrote:
On Feb 11, 2019, at 6:19 AM, Colleen Murphy <colleen@gazlene.net> wrote:
Hi Fabian,
On Mon, Feb 11, 2019, at 12:58 PM, Fabian Zimmermann wrote:
Hi,
Im currently trying to implement some way to do a SSO against our ActiveDirectory. I already tried SAMLv2 and OpenID Connect.
Im able to sign in via Horizon, but im unable to find a working way on cli.
Already tried v3adfspassword and v3oidcpassword, but im unable to get them working.
Any hints / links / docs where to find more information?
Anyone using this kind of setup and willing to share KnowHow?
Thanks a lot,
Fabian Zimmermann
We have an example of authenticating with the CLI here:
https://docs.openstack.org/keystone/latest/admin/federation/configure_federa...
That only covers the regular SAML2.0 ECP type of authentication, which I guess won't work with ADFS, and we seem to have zero ADFS-specific documentation.
From the keystoneauth plugin code, it looks like you need to set identity-provider-url, service-provider-endpoint, service-provider-entity-id, username, password, identity-provider, and protocol (I'm getting that from the loader classes[1][2]). Is that the information you're looking for, or can you give more details on what specifically isn't working?
Colleen
[1] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/load... [2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/extr...
Fabian,
To add a bit more info, the AD FS plugin essentially uses IdP-initiated sign-on. The identity provider URL is where the initial authentication request to AD FS will be sent. An example of this would be https://HOSTNAME/adfs/services/trust/13/usernamemixed <https://hostname/adfs/services/trust/13/usernamemixed>. The service provider’s entity ID must also be sent in the request so that AD FS knows which Relying Party Trust to associate with the request.
AD FS will provide a SAML assertion upon successful authentication. The service provider endpoint is the URL of the Assertion Consumer Service. If you’re using Shibboleth on the SP, this would be https://HOSTNAME/Shibboleth.sso/ADFS <https://hostname/Shibboleth.sso/ADFS>.
Note: The service-provider-entity-id can be omitted if it is the same value as the service-provider-endpoint (or Assertion Consumer Service URL).
Hope this helps.
— Blake Covarrubias
On Wed, Feb 13, 2019, at 9:50 AM, Fabian Zimmermann wrote:
Hi,
thanks for the fast answers.
I asked our ADFS Administrators if they could provide some logs to see whats going wrong, but they are unable to deliver these.
I'm more interested in what you were seeing, both the output from the client and the output from the keystone server if you have access to it.
So I installed keycloak and switched to OpenID Connect.
Im (again) able to connect via Horizon SSO, but when I try to use v3oidcpassword in the CLI Im running into
https://bugs.launchpad.net/python-openstackclient/+bug/1648580
I already added the suggested --os-client-secret without luck. Updating to latest python-versions..
pip install -U python-keystoneclient pip install -U python-openstackclient
didnt change anything.
Any ideas what to try next?
Unfortunately that seems to still be a valid bug that we'll need to address. You could try using the python keystoneauth library directly and see if the issue appears there[1][2]. [1] https://docs.openstack.org/keystoneauth/latest/using-sessions.html [2] https://docs.openstack.org/keystoneauth/latest/plugin-options.html#v3oidcpas...
Offtopic:
Seems like
https://groups.google.com/forum/#!topic/mod_auth_openidc/qGE1DGQCTMY
is right. I had to change the RedirectURI to geht OpenIDConnect working with Keystone. The sample config of
https://docs.openstack.org/keystone/rocky/advanced-topics/federation/websso....
is *not working for me*
I found that too. The in-development documentation has already been fixed[3] but we didn't backport that to the Rocky documentation because it was part of a large series of rewrites and reorgs. [3] https://docs.openstack.org/keystone/latest/admin/federation/configure_federa...
Fabian
Colleen
You should be able to configure keystone to authenticate against "ldap" using your active directory. Have you tried that yet? On Thu, Feb 14, 2019, 05:33 Colleen Murphy <colleen@gazlene.net> wrote:
On Wed, Feb 13, 2019, at 9:50 AM, Fabian Zimmermann wrote:
Hi,
thanks for the fast answers.
I asked our ADFS Administrators if they could provide some logs to see whats going wrong, but they are unable to deliver these.
I'm more interested in what you were seeing, both the output from the client and the output from the keystone server if you have access to it.
So I installed keycloak and switched to OpenID Connect.
Im (again) able to connect via Horizon SSO, but when I try to use v3oidcpassword in the CLI Im running into
https://bugs.launchpad.net/python-openstackclient/+bug/1648580
I already added the suggested --os-client-secret without luck. Updating to latest python-versions..
pip install -U python-keystoneclient pip install -U python-openstackclient
didnt change anything.
Any ideas what to try next?
Unfortunately that seems to still be a valid bug that we'll need to address. You could try using the python keystoneauth library directly and see if the issue appears there[1][2].
[1] https://docs.openstack.org/keystoneauth/latest/using-sessions.html [2] https://docs.openstack.org/keystoneauth/latest/plugin-options.html#v3oidcpas...
Offtopic:
Seems like
https://groups.google.com/forum/#!topic/mod_auth_openidc/qGE1DGQCTMY
is right. I had to change the RedirectURI to geht OpenIDConnect working with Keystone. The sample config of
https://docs.openstack.org/keystone/rocky/advanced-topics/federation/websso....
is *not working for me*
I found that too. The in-development documentation has already been fixed[3] but we didn't backport that to the Rocky documentation because it was part of a large series of rewrites and reorgs.
[3] https://docs.openstack.org/keystone/latest/admin/federation/configure_federa...
Fabian
Colleen
Hi, thanks for your reply, but Am 14.02.19 um 14:15 schrieb Brandon Sawyers:
You should be able to configure keystone to authenticate against "ldap" using your active directory.
this is not an option, because our customers dont want to share their passwords with us ;) Fabian
Hi Colleen, Am 14.02.19 um 11:32 schrieb Colleen Murphy:
I'm more interested in what you were seeing, both the output from the client and the output from the keystone server if you have access to it.
I will configure the adfs-connection again and send you the logs.
Unfortunately that seems to still be a valid bug that we'll need to address. You could try using the python keystoneauth library directly and see if the issue appears there[1][2].
[1] https://docs.openstack.org/keystoneauth/latest/using-sessions.html [2] https://docs.openstack.org/keystoneauth/latest/plugin-options.html#v3oidcpas...
I was missing the --os-client-id parameter, but I didnt got any hint about its required, so took a while to find it. With os-client-id, and os-client-secret Im now able to reach my keycloak. I already found some settings on keycloak I had to change. (Hopefully) I will be able to continue my work next week.
I found that too. The in-development documentation has already been fixed[3] but we didn't backport that to the Rocky documentation because it was part of a large series of rewrites and reorgs.
[3] https://docs.openstack.org/keystone/latest/admin/federation/configure_federa...
Great - thank a lot, I will fix my settings. Fabian
participants (3)
-
Brandon Sawyers
-
Colleen Murphy
-
Fabian Zimmermann