TripleO environment and Federation using ECP

It is also possible to use the Federated Identity feature without using a browser, this is done by the SAML2 ECP (Enhanced Client or Proxy) profile.

In the previous post related to TripleO and Federation the ECP part is not detailed. Using the same deployment as in the previous post it is possible to make ECP work with just a few additions.

Fist of all we need to edit the /etc/httpd/conf.d/shib.conf file and add the following:

<Location /v3/OS-FEDERATION/identity_providers/testshib/protocols/saml2/auth>  
  ShibRequestSetting requireSession 1
  AuthType shibboleth
  ShibExportAssertion Off
  Require valid-user
</Location>  
  • NOTE: the configuration above will only handle requests for the testshib identity provider.

Then we need to enabled ECP handling in the /ecp/shibboleth/shibboleth2.xml file by adding ECP="true" to the SSO entry:

<SSO ECP="true" entityID="https://idp.testshib.org/idp/shibboleth">  
  SAML2 SAML1
</SSO>  

Finally, we are able to use openstackclient to retrieve a token:

$ openstack --os-auth-type v3unscopedsaml --os-identity-provider testshib --os-identity-provider-url https://idp.testshib.org/idp/profile/SAML2/SOAP/ECP --os-username myself --os-password myself --os-project-name admin --os-project-domain-name Default --os-auth-url http://$CONTROLLER_HOST:5000/v3 --os-protocol saml2

This will open the interactive prompt and we can type token issue to retrieve a token:

(openstack) token issue
+---------+-------------------------------------------------------------------------------------------------------------------------------------------------+
| Field   | Value                                                                                                                                           |
+---------+-------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-08-03T22:35:52.276633Z                                                                                                                     |
| id      | gAAAAABXomO4RoHcwGXxaakxWWPT-O38xfomAarUiORazXm-wIxOBb3LPEAUdb4hsa-Jf2PR3VNn6r_z2AzkOdrHje-QJvlBym8opGbEaSSUKanfUXCjhqzdFzpAl5g-                |
|         | f6K4U600u7DKTZQVuqfBgZi-WnOlqszZuPpGoeyxkwMJSYM2Rc2DukwuFATu_Wrz8ZMwqXIJE_0w                                                                    |
| user_id | 19a9a54d10ac4559a5bbe99a5e07c548                                                                                                                |
+---------+-------------------------------------------------------------------------------------------------------------------------------------------------+

You may note that above we used a lot of different parameters, the most importants are:

  • --os-auth-type: defines the authentication plugin to be used, here we are using the v3unscopedsaml one, which returns an unscoped token using the SAML2 ECP workflow.

  • --os-identity-provider: the identity provider ID.

  • --os-identity-provider-url: the identity provider URL that will handle the ECP request. It can be found in TestShib's metadata file.

  • --os-protocol: the protocol ID.

Some of the parameters also don't see necessary, such as --os-project-name - since we are not scoping the token, why do we need scope? Looks like something wonky in the authentication plugin.

Now we can use the v3scopedsaml plugin to scope the token obtained above:

$ openstack --os-auth-type v3scopedsaml --os-project-id 759684b0331d417a87daacfe9c77e7db --os-auth-url http://$CONTROLLER_HOST:5000/v3 --os-token gAAAAABXomO4RoHcwGXxaakxWWPT-O38xfomAarUiORazXm-wIxOBb3LPEAUdb4hsa-Jf2PR3VNn6r_z2AzkOdrHje-QJvlBym8opGbEaSSUKanfUXCjhqzdFzpAl5g-f6K4U600u7DKTZQVuqfBgZi-WnOlqszZuPpGoeyxkwMJSYM2Rc2DukwuFATu_Wrz8ZMwqXIJE_0w

(openstack) token issue
+------------+----------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                        |
+------------+----------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2016-08-03T22:37:26.144025Z                                                                                                                  |
| id         | gAAAAABXomQWal8Zv_qAqxbell9eEnrzKHV4qYTS5qWIZYg4SEfRxC8qyGyX4iibPup8RGtSKHUtmxEzu-Wa8bblp1-9qb4fs8OPJSDdooXD02j4mrs6NsdezuS-                 |
|            | KNERyWO4WICjGAWdmf52HBnMtQxuhXbfBRjAAU2x41DqAnfh7MkU7m5yTOOe4t61Kxckt-jTZWAhNoWrWu8Rq0ApJKDOgfejIEjnRQ                                       |
| project_id | 759684b0331d417a87daacfe9c77e7db                                                                                                             |
| user_id    | 19a9a54d10ac4559a5bbe99a5e07c548                                                                                                             |
+------------+----------------------------------------------------------------------------------------------------------------------------------------------+
comments powered by Disqus