See Keystone as a Service Provider (SP) before proceeding with these Mellon-specific instructions.
Note
You are advised to carefully examine the mod_auth_mellon documentation.
Follow the steps outlined at: Keystone install guide for SUSE, RedHat or Ubuntu.
Install the Apache module package. For example, on Ubuntu:
# apt-get install libapache2-mod-auth-mellon
The package and module name will differ between distributions.
Unlike mod_shib
, all of mod_auth_mellon
’s configuration is done in
Apache, not in a separate config file. Set up the shared settings in a single
<Location>
directive near the top in your keystone VirtualHost file, before
your protected endpoints:
<Location /v3>
MellonEnable "info"
MellonSPPrivateKeyFile /etc/apache2/mellon/sp.keystone.example.org.key
MellonSPCertFile /etc/apache2/mellon/sp.keystone.example.org.cert
MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
MellonEndpointPath /v3/mellon
MellonIdP "IDP"
</Location>
Configure each protected path to use the Mellon
AuthType:
<Location /v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth>
Require valid-user
AuthType Mellon
MellonEnable auth
</Location>
Do the same for the WebSSO auth paths if using horizon as a single sign-on frontend:
<Location /v3/auth/OS-FEDERATION/websso/saml2>
Require valid-user
AuthType Mellon
MellonEnable auth
</Location>
<Location /v3/auth/OS-FEDERATION/identity_providers/samltest/protocols/saml2/websso>
Require valid-user
AuthType Mellon
MellonEnable auth
</Location>
Mellon provides a script called mellon_create_metadata.sh``_ which generates
the values for the config directives ``MellonSPPrivateKeyFile
,
MellonSPCertFile
, and MellonSPMetadataFile
. Run the script:
$ ./mellon_create_metadata.sh \
https://sp.keystone.example.org/mellon \
http://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth/mellon
The first parameter is used as the entity ID, a URN of your choosing that must
uniquely identify the Service Provider to the Identity Provider. The second
parameter is the full URL for the endpoint path corresponding to the parameter
MellonEndpointPath
.
After generating the keypair and metadata, copy the files to the locations
given by the MellonSPPrivateKeyFile
and MellonSPCertFile
settings in
your Apache configuration.
Upload the Service Provider’s Metadata file which you just generated to your Identity Provider. This is the file used as the value of the MellonSPMetadataFile in the config. The IdP may provide a webpage where you can upload the file, or you may be required to submit the file using wget or curl. Please check your IdP documentation for details.
Fetch your Identity Provider’s Metadata file and copy it to the path specified
by the MellonIdPMetadataFile
setting in your Apache configuration.
$ wget -O /etc/apache2/mellon/idp-metadata.xml https://samltest.id/saml/idp
Remember to reload Apache after finishing configuring Mellon:
# systemctl reload apache2
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.