[WIP] Keystone Federation (by quqi99)

Keystone Federation综述

Security Assertion Markup Language (SAML) is a protocol that allows a user to use Single Sign On (SSO) with an Identity Provider (IDP) and a Service Provider (SP). When a user logs in, they give their credentials to the IDP. The IDP checks their credentials and a SAML Assertion with the user’s attributes is created. That assertion is then passed to the SP and the SP verifies that it was sent by the IDP. Since the SP trusts assertions from the IDP, the user never has to send their credentials to the SP.

Service Provider(SP): 服务提供方，它只提供服务，依赖IdP认证用户身份. SP需要从IdP处获得数据,所以SP需要trust IdP. Identity Provider(IdP): 断言(assertion)方，用于认证用户身份
Assertion Protocol: 认证(断言)协议，Service Provider和Identity
Provider完成认证用户身份所用的协议，常用有SAML2.0(mod_auth_mellon or Shibboleth Apache modules), OpenID, X509, Kerberos等. Keystone作为SP时仅支持SAML.

Icehouse支持Keystone作为Service Provider，Juno版本新增了Identity Provider。多数场景下Keystone常常作为服务端，对接其它的Identity Provider. 借助于Keystone Federation，企业可以将内部现有的身份管理平台与OpenStack云服务进行对接，用户信息仍然存储在企业用户管理系统(IdP)中, OpenStack作为SP需要对IdP中存储的用户, 创建相应的映射关系(这叫shadow user, 当然不包含password), 将用户与Keystone服务中存在的用户组进行对应, 从而进行用户权限管理.
在实现上, Keystone本身做得工作很少(需要支持设置REMOTE_USER环境变量通过Apache HTTP走外部非密码的认证系统), 主要的授权工作是由web server auth module来做的(keystone需要设置web server auth module使用REMOTE_USER环境变量).

SAML理论

典型的SAML流程分上两图两种:

Redirect Bindings: 由User发起. SP与IdP之间通过配置metadata建立Trust关系, SP只根据IdP的断言结果来决定是否服务User
Artifact Bindings: SP端能够理解SAML协议内容(如keystone作为SP时能显示设置ECP=true, )

OpenStack SAML流程

注: 以下内容来自 http://www.gazlene.net/demystifying-keystone-federation.html , 怕今后网页失效, 故copy了一份, 希望不至于侵权.
1, 正常keystone的流程如下:

In a normal keystone flow, the user requests a scoped token directly from keystone. Keystone accepts their credentials and checks them against its local storage or against its LDAP backend. Then it checks the scope that the user is requesting, ensuring they have the correct role assignments, and produces a scoped token. The user can use the scoped token to do something else in OpenStack, like request servers, but everything that happens after the token is produced is irrelevant to this discussion.

2, SAML2.0 WebSSO流程

WebSSO is one of a few SAML profiles. It is entirely based on the idea that a web browser will be acting as an intermediary and so the whole flow involves things that a browser can understand, like HTTP redirects and HTML forms.
First, the user uses their web browser to request some secure resource from the Service Provider. The Service Provider detects that the user isn’t authenticated yet, so it generates a SAML Request which it base64 encodes, and then issues an HTTP redirect to the Identity Provider.
The browser follows the redirect and presents the SAML Request to the Identity Provider. The user is prompted to authenticate, probably by filling out a username and password in a login page. The Identity Provider responds with an HTTP success and generates a SAML Response with an HTML form.
The browser automatically POSTs the form back to the Service Provider, which validates the SAML Response. The Service Provider finally issues another redirect back to the original resource the user had requested.

3, SAML2.0 WebSSO ECP流程

ECP is another SAML profile. Generally the flow is similar to the WebSSO flow, but it is designed for a client that natively understands SAML, for example the keystoneauth library (and therefore also the python-openstackclient CLI tool). I call out ECP specifically because it is slightly different from the browser-based flow, and so while it is often tempting to, during debugging, drop down to the shell and try to get things working from there, they are different enough that getting one working does not necessarily mean the other works. They could also both be broken but for different reasons. For instance, ECP support must often be turned on explicitly in the Identity Provider, so if your identity management team has not enabled it, it will not work and therefore not get you any closer to understanding why your browser flow is broken.

4, WebSSO with keystone and horizon

When we apply WebSSO to keystone using an external Identity Provider, things get a little more complicated. Keystone is still the Service Provider, but keystone is not a web front-end. This means we need to teach horizon how to handle some parts of being a Service Provider.
In the diagram above, in addition to adding horizon into the mix, I’ve split out keystone and Apache from each other to distinguish which parts each are in charge of, even though we would typically refer to both of them together as the Service Provider.
In this model, the user requests to log in to horizon by selecting a federated authentication method from a dropdown menu. Horizon automatically generates a keystone URL based on the Identity Provider and protocol selected and redirects the browser to keystone. That location is equivalent to the /secure resource in the SAML2.0 WebSSO diagram. The browser follows the redirect, and the Apache module detects that the user isn’t logged in yet and issues another redirect to the Identity Provider with a SAML Request. At this point, the flow is the same as in the normal WebSSO model. The user logs into the Identity Provider, a SAML Response is POSTed back to the Service Provider, where the Apache module validates the response and issues a redirect back to the location that horizon had originally requested, which is a special federation auth endpoint. At this point keystone is able to grant an unscoped token, which it hands off as another HTML form. The browser will POST that back to horizon, which triggers the normal login process, picking a project to scope to and getting a scoped token from keystone.
Note that here, horizon is acting as a middle-man for us, since it knows the endpoint of the secure resource it requests from keystone.
4, keystone-to-keystone流程

When keystone is used as an Identity Provider, the auth flow is pretty unique. It doesn’t follow any of the SAML standards, though you could say it’s similar to an IdP-initiated auth flow. In this case, the user goes directly to the Identity Provider first before requesting any resource from the Service Provider. The user will get a token from keystone, then use that to request a SAML Response via ECP. When it gets that response back, it POSTs that to the Service Provider, which will grant a token for it.

Notice that the Service Provider has to accept data from the Identity Provider and therefore needs to have a way of trusting it. The Identity Provider, on the other hand, never has to accept data from the Service Provider. There is no back and forth, the user simply completes the auth process on one side and presents the result to the other side.

keystone-to-keystone federation实例

环境信息, 两个openstack环境:
queens-sp 10.5.0.25
queens-idp 10.5.0.64 idp.keystone.demo

keystone-to-keystone federation实例 - 搭建SP

1, 创建mapping及openstack相关元素

# create a mapping with a single rule to map all remote users to a local user in a single group in keystone
# This mapping rule evaluates REMOTE_USER variable set by the HTTPD auth module and uses it to fill in the name of the local user in keystone.
# To set the username we can use {0} in the local section to indicate to use a field from the remote section.
# refer https://ibm-blue-box-help.github.io/help-documentation/keystone/saml-federation/
cat > /tmp/rules.json <<EOF
[{"local": [{"user": {"name": "{0}"},"group": {"domain": {"name": "federated_domain"},"name": "federated_group"}}],"remote": [{"type": "openstack_user","any_one_of": ["demo","admin"]}]}
]
EOF
# Keystone Federation works by federating IdP users to a group on the SP.
# saml2 is listed here - http://git.openstack.org/cgit/openstack/keystone/tree/setup.cfg?h=12.0.0#n100
#curl -s https://samltest.id/saml/idp | grep -o 'entityID=".*"'
#openstack identity provider create --remote-id https://samltest.id/saml/idp samltest
#openstack mapping create --rules /tmp/rules.json samltest_mapping
#openstack federation protocol create saml2 --mapping samltest_mapping --identity-provider samltest
openstack identity provider create --remote-id http://idp.keystone.demo/v3/OS-FEDERATION/saml2/idp keystoneidp
#openstack identity provider set --remote-id http://idp.keystone.demo/v3/OS-FEDERATION/saml2/idp keystoneidp
openstack mapping create --rules /tmp/rules.json k2kmap
openstack mapping show k2kmap -f json
openstack mapping set k2kmap --rules newmappings.json
openstack federation protocol create --identity-provider keystoneidp --mapping k2kmap saml2openstack domain create federated_domain
openstack project create federated_project --description "federation project" --domain federated_domain
openstack group create federated_group --domain federated_domain
openstack role list
openstack role add --group federated_group --group-domain federated_domain --project federated_project Member
#openstack role remove --group federated_group --group-domain federated_domain --project federated_project Member
#just for domain token
#openstack role add --group federated_group --group-domain federated_domain --domain federated_domain Memberopenstack role assignment list --group federated_group --group-domain federated_domain --names
openstack role assignment list --project federated_project --namesopenstack user create --email testuser_local@example.com testuser_local --password openstack --domain federated_domain
openstack group add user federated_group testuser_local --group-domain federated_domain --user-domain federated_domain
openstack group contains user federated_group testuser_local --group-domain federated_domain --user-domain federated_domainunset OS_SERVICE_TOKENexport OS_USERNAME=testuser_localexport OS_PASSWORD=openstackexport OS_AUTH_URL=http://sp.keystone.demo:5000/v3
export OS_PROJECT_NAME=federated_project
export OS_USER_DOMAIN_NAME=federated_domain
export OS_PROJECT_DOMAIN_NAME=federated_domain
export OS_IDENTITY_API_VERSION=3
openstack token issue
openstack project list
openstack --os-username=testuser_local --os-project-name=federated_project --os-user-domain-name federated_domain --os-project-domain-name=federated_domain --os-auth-url=http://sp.keystone.demo:5000/v3 --os-password=openstack --os-identity-api-version=3 project list

2, apaches上enable WebSSO

# Enable WebSSO in horzion to support a federated login, this will enable a dropdown menu for the user to select how to authenticate.
# https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configuring-horizon-as-a-websso-frontend
juju ssh openstack-dashboard/0
sudo bash -c 'cat >>/etc/openstack-dashboard/local_settings.py' <<EOF
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (("credentials", _("Keystone Credentials")),("saml2", _("here must be the saml2 as above configured")),)
WEBSSO_INITIAL_CHOICE="k2k"
OPENSTACK_API_VERSIONS = {"identity": 3
}
OPENSTACK_KEYSTONE_URL="http://sp.keystone.demo:5000/v3"
EOF
service apache2 restart

注: 上面的saml2必须是上面定义的协议名saml2, 否则报下列错:
(keystone.federation.utils): 2019-03-12 02:08:35,403 DEBUG Cannot find “remote_id_attribute” in configuration group k2k. Trying default location in group federation.
3, apache的配置

# Configure protected URI - https://docs.openstack.org/keystone/latest/admin/federation/shibboleth.html
# NOTE: However, if you have configured the keystone service to use a virtual path such as /identity, the following URI should have /identity
# If you are using mod_proxy, for example to proxy requests to the /identity path to keystone’s UWSGI service, need Proxypass line.
sudo bash -c 'cat >>/etc/apache2/sites-available/keystone.conf' <<EOF
<!--
Proxypass Shibboleth.sso !
-->
<Location /Shibboleth.sso>SetHandler shib
</Location>
<Location /v3/auth/OS-FEDERATION/websso/saml2>AuthType shibbolethRequire valid-userShibRequestSetting requireSession 1ShibExportAssertion Off
</Location>
<Location /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth>AuthType shibbolethRequire valid-userShibRequestSetting requireSession 1ShibExportAssertion Off
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/saml2/websso>AuthType shibbolethRequire valid-userShibRequestSetting requireSession 1ShibExportAssertion Off
</Location>
EOF
# also need to configure virtual host and adjust the config to properly handle SAML2 workflow.<VirtualHost *:5000>
+    WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /usr/bin/keystone-wsgi-public/$1systemctl reload apache2

4, 配置mod_shib及metadata

# first set up a PKI pair for Shibboleth to use - /etc/shibboleth/sp-key.pem
shib-keygen -y 10
sudo a2enmod shib2# update /etc/shibboleth/shibboleth2.xml to point to the right IdP and get its metadata
<ApplicationDefaults entityID="http://sp.keystone.demo/shibboleth">
...
<SSO ECP="true" entityID="http://idp.keystone.demo/v3/OS-FEDERATION/saml2/idp">SAML2 SAML1</SSO>
...
<MetadataProvider type="XML" uri="http://idp.keystone.demo/saml2_idp_metadata.xml" />
<!--
<MetadataProvider type="XML" file="/etc/shibboleth/saml2_idp_metadata.xml" />
--># also need to remove the REMOTE_USER entry in the  shibboleth2.xml file since it implies external authentication on Keystone:
sudo sed -r 's/REMOTE_USER="\w*"//' -i /etc/shibboleth/shibboleth2.xml# then restart slibd to finished configuring shibboleth2.xml
systemctl restart shibd

5, Configure allowed attributes

# Configure allowed attributes to /etc/shibboleth/attribute-map.xml
# By default, mod_shib does not pass all attributes received from the IdP to keystone
<Attribute name="openstack_user" id="openstack_user"/>
<Attribute name="openstack_roles" id="openstack_roles"/>
<Attribute name="openstack_project" id="openstack_project"/>
<Attribute name="openstack_user_domain" id="openstack_user_domain"/>
<Attribute name="openstack_project_domain" id="openstack_project_domain"/>
systemctl restart shibd

6, Exchange metadata

# Exchange metadata, need to run 'cp /etc/shibboleth/idp.keystone.demo.xml /var/www/html/' in SP side
curl -o /etc/shibboleth/saml2_idp_metadata.xml http://idp.keystone.demo/saml2_idp_metadata.xml
# in IdP side, but it depends on your IdP choice and is not covered here. If keystone is your IdP you do not need to upload this file.
curl -o /etc/shibboleth/sp.keystone.demo.xml http://sp.keystone.demo/Shibboleth.sso/Metadata

7, configure keystone

# https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configuring-keystone
# You should also remove external as an allowable method
vi /etc/keystone/keystone.conf
[auth]
#methods = external,password,token,oauth1,mapped,openid,totp
methods = password,token,oauth1,mapped,openid,totp,saml2
saml2 = keystone.auth.plugins.mapped.Mapped
[saml2]
remote_id_attribute = Shib-Identity-Provider
#[openid]
#remote_id_attribute = HTTP_OIDC_ISS
[federation]
#remote_id_attribute = HTTP_OIDC_ISS
trusted_dashboard = http://sp.keystone.demo/auth/websso/
trusted_dashboard = http://idp.keystone.demo/auth/websso/
sso_callback_template = /etc/keystone/sso_callback_template.html
systemctl restart shibd apache2# make sure the callback template is there, this is the HTML form that keystone will send to horizon with the token
ls /etc/keystone/sso_callback_template.htmlubuntu@zhhuabj-bastion:~$ curl -s http://sp.keystone.demo/Shibboleth.sso/Metadata | grep urn:oasis:names:tc:SAML:2.0:bindings:PAOS<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://sp.keystone.demo/Shibboleth.sso/SAML2/ECP" index="4"/>

8, 测试

_OS_PARAMS=$(env | awk 'BEGIN {FS="="} /^OS_/ {print $1;}' | paste -sd ' ')
for param in $_OS_PARAMS; dounset $param
done
export OS_AUTH_URL=http://sp.keystone.demo/v3
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_IDENTITY_API_VERSION=3export OS_AUTH_TYPE=v3samlpassword
export OS_PROTOCOL=saml2
export OS_IDENTITY_PROVIDER=keystoneidp
export OS_IDENTITY_PROVIDER_URL=http://sp.keystone.demo/Shibboleth.sso/SAML2/ECP
#export OS_IDENTITY_PROVIDER_URL=http://idp.keystone.demo/v3/auth/OS-FEDERATION/saml2/ecp
export OS_PROJECT_NAME=federated_project
export OS_PROJECT_DOMAIN_NAME=federated_domain
openstack token issueopenstack --debug --os-auth-type v3samlpassword --os-identity-provider keystoneidp --os-identity-provider-url http://sp.keystone.demo/Shibboleth.sso/SAML2/ECP --os-username admin --os-password admin --os-project-name federated_project --os-project-domain-name federated_domain --os-auth-url http://sp.keystone.demo:5000/v3 --os-protocol saml2 token issue# Find available scopes
# If you are a new user and are not aware of what resources you have access to,
# you can use an unscoped query to list the projects or domains you have been granted a role assignment on:
export OS_AUTH_TYPE=v3samlpassword
export OS_IDENTITY_PROVIDER=keystoneidp
export OS_IDENTITY_PROVIDER_URL=http://sp.keystone.demo/Shibboleth.sso/SAML2/ECP
export OS_PROTOCOL=saml2
export OS_USERNAME=demo
export OS_PASSWORD=password
export OS_AUTH_URL=http://sp.keystone.demo/v3
export OS_IDENTITY_API_VERSION=3
openstack federation project list
openstack federation domain list# Get a scoped token
# If you already know the project, domain or system you wish to scope to, you can directly request a scoped token
export OS_AUTH_TYPE=v3samlpassword
export OS_IDENTITY_PROVIDER=keystoneidp
export OS_IDENTITY_PROVIDER_URL=http://sp.keystone.demo/Shibboleth.sso/SAML2/ECP
export OS_PROTOCOL=saml2
export OS_USERNAME=demo
export OS_PASSWORD=password
export OS_AUTH_URL=http://sp.keystone.demo/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_NAME=federated_project
export OS_PROJECT_DOMAIN_NAME=Default
openstack token issue# if ECP doesn't be enabled
export OS_USERNAME=demo
export OS_PASSWORD=openstack
export OS_AUTH_URL=http://idp.keystone.demo/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_NAME=federated_project
export OS_PROJECT_DOMAIN_NAME=Default
export OS_SERVICE_PROVIDER=keystonesp
export OS_REMOTE_PROJECT_NAME=federated_project
export OS_REMOTE_PROJECT_DOMAIN_NAME=Default
openstack token issue

keystone-to-keystone federation实例 - 搭建IdP

sudo apt install xmlsec1 python-pysaml2
sudo bash -c 'cat >>/etc/hosts' <<EOF
10.5.0.64 idp.keystone.demo
10.5.0.18 sp.keystone.demo
EOF# Enable federatin (OS-FEDERATION) extension
[filter:federation_extension]
use = egg:keystone#federation_extension
...
[pipeline:api_v3]
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension federation_extension service_v3# add the capabilities to sign/generate SAML assertions
mkdir -p /etc/keystone/ssl/{certs,private}
openssl req -x509 -newkey rsa:2048 -keyout /etc/keystone/ssl/private/signing_key.pem -out /etc/keystone/ssl/certs/signing_cert.pem -days 365 -nodes
chown -R keystone:keystone /etc/keystone/ssl
sudo bash -c 'cat >>/etc/keystone/keystone.conf' <<EOF
[saml]
certfile=/etc/keystone/ssl/certs/signing_cert.pem
keyfile=/etc/keystone/ssl/private/signing_key.pem
idp_entity_id=http://idp.keystone.demo/v3/OS-FEDERATION/saml2/idp
idp_sso_endpoint=http://idp.keystone.demo/v3/OS-FEDERATION/saml2/sso
idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml
idp_organization_name = sts
idp_organization_display_name = sts
idp_organization_url = http://sts.com/
EOF# Generate the IdP metadata, need to provide it to the SP as well
keystone-manage saml_idp_metadata > /etc/keystone/saml2_idp_metadata.xml
chown keystone:keystone /etc/keystone/saml2_idp_metadata.xml# switch metadata. copy IdP's metadata to the path where SP can download it
# sp's metadata:  http://sp.keystone.demo/Shibboleth.sso/Metadata
# idp's metadata: http://idp.keystone.demo/saml2_idp_metadata.xml
cp /etc/keystone/saml2_idp_metadata.xml /var/www/html/# Once the metadata is created, restart the keystone service
service apache2 restart# Last, create a SP resource in the keystone IdP:
openstack service provider create keystonesp \
--auth-url http://sp.keystone.demo/v3/OS-FEDERATION/identity_providers/keystoneidp/protocols/saml2/auth \
--service-provider-url http://sp.keystone.demo/Shibboleth.sso/SAML2/ECP
root@juju-f12ad0-queens-idp-2:~#  curl -s http://sp.keystone.demo/Shibboleth.sso/Metadata | grep urn:oasis:names:tc:SAML:2.0:bindings:PAOS<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="http://sp.keystone.demo/Shibboleth.sso/SAML2/ECP" index="4"/>

附录 - keystone-to-google federation

未测试, 只是理论分析让心里清楚大致流程.

本次实验中，IdP使用Google Identity Platform提供的Google Sign-In，Google Sign-In是Google提供的安全的身份认证系统，允许用户通过Google账号登录第三方应用或系统，简化了用户使用服务的登录过程。
OpenID Connect = OAuth + Identity + Authentication
配置Google
1, 申请域名(如: quqi99.publicvm.com), 并添加主机记录类型(www与@)的A记录指向实际的keystone(SP)的外网IP.
2, 在console.developers.google.com页面的 APIs&Services -> Credentials -> OAuth consent screen中创建一个app, 并在APIs&Services -> Credentials -> Domain verfication中添加我们申请的域名.
3, 在APIs&Services -> Credentials -> Credentials中点击"Create credentials -> OAuth client ID"创建一个"Web application"类型的OAuth client ID, 并在里面的redirect URIs处填上: https://quqi99.publicvm.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect, 然后我们将获得接下来要用到的Client ID与Client secret.配置Keystone
1, 安装libapache2-mode-auth-openidc
2, 更新keystone.conf
[auth]
methods = external,password,token,oauth1,oidc
oidc = keystone.auth.plugins.mapped.Mapped
[oidc]
remote_id_attribute = HTTP_OIDC_ISS
[federation]
remote_id_attribute = HTTP_OIDC_ISS
trusted_dashboard = http://quqi99.publicvm.com/auth/websso/3, 更新/etc/apache2/sites-available/wsgi-keystone.conf, 注意到 OIDCClientID，OIDCClientSecret 和 OIDCRedirectURI 依次对应上文 Google Client 的参数.
$ cat /etc/apache2/sites-available/wsgi-keystone.conf
Listen 5000
Listen 35357
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
<VirtualHost *:5000>WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}WSGIProcessGroup keystone-publicWSGIScriptAlias / /var/www/cgi-bin/keystone/mainWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization On<IfVersion >= 2.4>ErrorLogFormat "%{cu}t %M"</IfVersion>LogLevel debugErrorLog /var/log/apache2/keystone-error.logCustomLog /var/log/apache2/keystone-access.log combinedOIDCClaimPrefix "OIDC-"OIDCResponseType "id_token"OIDCScope "openid email profile"OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"OIDCClientID "388517667150-adc2etk5ohfif5bluber4ho2150pqb3k.apps.googleusercontent.com"OIDCClientSecret 2CnpJ5mm8mfqfoN_6aqd-72AOIDCCryptoPassphrase openstackOIDCRedirectURI "http://quqi99.publicvm.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect"<Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">AuthType openid-connectRequire valid-userLogLevel debug</Location>
</VirtualHost>4, 配置horizon启用websso, 更新 /etc/openstack-dashboard/local_settings.py
OPENSTACK_KEYSTONE_URL = "http://quqi99.publicvm.com:5000/v3”
OPENSTACK_API_VERSIONS = {"identity": 3}
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (("credentials", _("Keystone Credentials")),("oidc", _("Google Login")))
WEBSSO_INITIAL_CHOICE = "credentials"5, 配置Keystone
#Create Group and Project for Google User
openstack group create google_group
openstack project create google_project
openstack role add admin --group google_group --project google_project#Google Identity Provider
#openstack identity provider create google --remote-id https://accounts.google.com
curl -g -X POST http://quqi99.publicvm.com:35357/v3/OS-FEDERATION/identity_providers/google_idp-H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: $token" -d '{"identity_provider": {"enabled": true, "description": null, "remote_ids": ["https://accounts.google.com"]}}'# Create mapping, A mapping is a set of rules that link the attributes of a remote user to user properties that keystone understands.
$ cat google_mapping.json
[{"local": [{"group": {"id": "a52d06a163f049e29416e20d0e8a12ea"}}],"remote": [{"type": "HTTP_OIDC_ISS","any_one_of": ["https://accounts.google.com"]}]}
]
openstack mapping create google_mapping --rules google_mapping.json
openstack federation protocol create oidc --identity-provider google_idp --mapping google_mapping

Reference

[1] http://wsfdl.com/openstack/2016/02/01/Keystone-Google-Federation-With-OpenID.html
[2] https://www.ibm.com/developerworks/cn/cloud/library/cl-cn-keystonehorizonsso/
[3] http://wsfdl.com/openstack/2016/01/14/Keystone-Federation-Identity-with-SAML2.html
[4] http://shuquan.github.io/setting-up-keystone-to-keystone-federation/
[5] https://cloud.garr.it/support/kb/cloud/federated_auth/
[6] https://docs.openstack.org/keystone/latest/admin/federation/federated_identity.html
[7] https://docs.openstack.org/keystone/queens/admin/federated-identity.html
[8] http://www.gazlene.net/demystifying-keystone-federation.html
[9] https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html
[10] https://bugs.launchpad.net/mos/+bug/1626471
[11] https://ibm-blue-box-help.github.io/help-documentation/keystone/saml-federation/
[12] http://xuctarine.blogspot.com/2016/02/how-to-setup-keystone-with-shibboleth.html
[13] http://blog.rodrigods.com/playing-with-keystone-to-keystone-federation/
[14] http://www.gazlene.net/federation-devstack.html