Open Stack

Forwarding back to list

On Mon, Feb 11, 2019, at 5:11 PM, Blake Covarrubias wrote:
> > On Feb 11, 2019, at 6:19 AM, Colleen Murphy <colleen at gazlene.net> wrote:
> > 
> > Hi Fabian,
> > 
> > On Mon, Feb 11, 2019, at 12:58 PM, Fabian Zimmermann wrote:
> >> Hi,
> >> 
> >> Im currently trying to implement some way to do a SSO against our 
> >> ActiveDirectory. I already tried SAMLv2 and OpenID Connect.
> >> 
> >> Im able to sign in via Horizon, but im unable to find a working way on cli.
> >> 
> >> Already tried v3adfspassword and v3oidcpassword, but im unable to get 
> >> them working.
> >> 
> >> Any hints / links / docs where to find more information?
> >> 
> >> Anyone using this kind of setup and willing to share KnowHow?
> >> 
> >> Thanks a lot,
> >> 
> >> Fabian Zimmermann
> > 
> > We have an example of authenticating with the CLI here:
> > 
> > https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#authenticating
> > 
> > That only covers the regular SAML2.0 ECP type of authentication, which I guess won't work with ADFS, and we seem to have zero ADFS-specific documentation.
> > 
> > From the keystoneauth plugin code, it looks like you need to set identity-provider-url, service-provider-endpoint, service-provider-entity-id, username, password, identity-provider, and protocol (I'm getting that from the loader classes[1][2]). Is that the information you're looking for, or can you give more details on what specifically isn't working?
> > 
> > Colleen
> > 
> > [1] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/identity.py#n104
> > [2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/extras/_saml2/_loading.py#n45
> > 
> 
> Fabian,
> 
> To add a bit more info, the AD FS plugin essentially uses IdP-initiated 
> sign-on. The identity provider URL is where the initial authentication 
> request to AD FS will be sent. An example of this would be 
> https://HOSTNAME/adfs/services/trust/13/usernamemixed 
> <https://hostname/adfs/services/trust/13/usernamemixed>. The service 
> provider’s entity ID must also be sent in the request so that AD FS 
> knows which Relying Party Trust to associate with the request.
> 
> AD FS will provide a SAML assertion upon successful authentication. The 
> service provider endpoint is the URL of the Assertion Consumer Service. 
> If you’re using Shibboleth on the SP, this would be 
> https://HOSTNAME/Shibboleth.sso/ADFS 
> <https://hostname/Shibboleth.sso/ADFS>.
> 
> Note: The service-provider-entity-id can be omitted if it is the same 
> value as the service-provider-endpoint (or Assertion Consumer Service 
> URL).
> 
> Hope this helps.
> 
> —
> Blake Covarrubias
>