[Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..)

Adam Young ayoung at redhat.com
Tue Aug 6 13:34:27 UTC 2013

On 08/06/2013 08:37 AM, Rok Kralj wrote:
> As far as I know, the ability to log in to OpenStack via arbitrary 
> Identity Provider (IdP) is a widely desired feature. Therefore, we 
> have decided to integrate Keystone & Horizon with *Simple Saml PHP*,

Why PHP?  THis is a very interesting approach, but the multi-languange 
thing makes it a non-starter for upstream integration.

> since it provides a lot of AUTH sources (aka. IdPs), for example LDAP, 
> database, facebook, etc... Check out our effort in this short video 
> (40s):
> http://www.youtube.com/watch?v=qmJAumoh4U8

I video is really not the way to present this to the OpenStack 
community. A clear write up is preferred.  PDFs make it hard to 
comment.  What is not clear from the document is if you are using the 
Keystoine Identity with SAML, instead of Keystone tokens, or if you are 
integrating in with some other IdP.

> For more, the instructions and a short introduction is available in 
> the attached readme.pdf.

I've inlined it  here:

You are about to setup the OpenStack as Serice (TYPO) provider. This is 
going to enable you to make a single sign-on
service and log users to the Horizon, the OpenStack dashboard in a 
seamless way.
Estimated deployment duration: 10-25 minutes (depends on many factors)
The module functionality
Basically, the module works like this:
1. Present the user with the available Identity providers. Let the user 
choose one.
2. If user doesn't yet have an account in Keystone, register it. Map the 
user to the appropriate tenant,
depending on the auth source and IdP attributes. This enables you, for 
example, to give demo accounts
to random facebook users and full-fledged accounts to the people listed 
in your company's LDAP, etc...
3. Seamlessly login the user to the Horizon web dashboard.
Deployment at SimpleSamlPHP side
1. First, you have to extract the ssp.tar.gz archive to a location which 
is publicly accessible via your web
server of choice. A good example might be /var/www/login, but you can 
chose anything.
2. Next, you have to open the config.php file, where all configurable 
options reside.
. The first and most important config option is sspPath, this is the 
relative (or absolute) path to the
lib/ autoload.php file in your SSP installation.
const sspPath = '../simplesamlphp-1.11.0/lib/_autoload.php';
. The module also has to know about the user and admin Keystone API 
endpoints. They
usually reside on the different ports on the same host.
const adminUrl = 'http://localhost:35357/v2.0/';
const userUrl = 'http://localhost:5000/v2.0/';
. Point the module to the Horizon dashboard. The redirect and auto-login 
will be made to this URL.
const horizon = 'http://localhost/auth/login/';
. Last but not least, you have to supply the Keystone AUTH token secret. 
You can find it in keystone's
configuration file.
const secret = '65e005728156f456cf20';
3. As you probably noticed, not only Config class resides in config.php. 
There is also a Mapper class,
which contains functions, named by the auth sources. Using these 
function, you can decide how you want
to map IdP attributes to user names.
Functions accept one parameter (IdP attribute hash) and return a 3-tuple 
in the form (username, email,
default tenant). Example you might use for LDAP is below:
function example_ldap($attr) {
return [ $attr['uid'][0], $attr['mail'][0], 'admin' ];
4. Lastly, you are free to modify index.php to your liking. You can 
customise it with your company's logo
or give it a design overhaul, if you wish.
Deployment at the Horizon side
1. Overwrite the /usr/lib/python2.7/dist-packages/openstack 
auth/views.py with the file provided
in our archive. It is advised to keep the backup of the old file, if you 
want to restore old functionality.
2. Append the logout callback url to the openstack dashboard/settings.py 
configuration file.
SSP_LOGOUT_URL = 'http://localhost/login/logout.php'

> Feedback is really appreciated.

This is a neat concept, but it lacks some context.

> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130806/18f70c56/attachment.html>

More information about the Openstack mailing list