See Keystone as a Service Provider (SP) before proceeding with these OpenIDC-specific instructions.
These examples use Google as an OpenID Connect Identity Provider. The Service Provider must be added to the Identity Provider in the Google API console.
Note
You are advised to carefully examine the mod_auth_openidc documentation.
Install the Apache module package. For example, on Ubuntu:
# apt-get install libapache2-mod-auth-openidc
The package and module name will differ between distributions.
In the Apache configuration for the keystone VirtualHost, set the following OIDC options:
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase <random string>
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth
OIDCScope
is the list of attributes that the user will authorize the
Identity Provider to send to the Service Provider. OIDCClientID
and
OIDCClientSecret
must be generated and obtained from the Identity Provider.
OIDCProviderMetadataURL
is a URL from which the Service Provider will fetch
the Identity Provider’s metadata. OIDCRedirectURI
is a vanity URL that must
point to a protected path that does not have any content, such as an extension
of the protected federated auth path.
Note
If using a mod_wsgi version less than 4.3.0, then the OIDCClaimPrefix must be specified to have only alphanumerics or a dash (“-“). This is because mod_wsgi blocks headers that do not fit this criteria.
Configure each protected path to use the openid-connect
AuthType:
<Location /v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth>
Require valid-user
AuthType openid-connect
</Location>
Do the same for the WebSSO auth paths if using horizon:
<Location /v3/auth/OS-FEDERATION/websso/openid>
Require valid-user
AuthType openid-connect
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/google/protocols/openid/websso>
Require valid-user
AuthType openid-connect
</Location>
Remember to reload Apache after altering the VirtualHost:
# systemctl reload apache2
Note
When creating mapping rules, in keystone, note that the ‘remote’
attributes will be prefixed, with HTTP_
, so for instance, if you set
OIDCClaimPrefix
to OIDC-
, then a typical remote value to check for
is: HTTP_OIDC_ISS
.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.