You can integrate VMware Integrated OpenStack with any third-party identity provider solution that uses the Security Association Markup Language (SAML) 2.0 protocol.

Important:

Third-party identity providers are not supported by VMware. Contact your identity provider administrator to obtain the information required in this procedure.

If you want to integrate VMware Integrated OpenStack with VMware Identity Manager using SAML 2.0, see Configure VMware Identity Manager Federation.

Prerequisites

  • Deploy your identity provider solution and determine the location of its metadata file.

  • Ensure that the VMware Integrated OpenStack controller node can access the FQDN of the identity provider solution.

  • Create a mapping file in JSON format and save it on the OpenStack Management Server. For more information, see Mapping Combinations in the OpenStack documentation.

  • Create an SAML attribute mapping file in JSON format and save it on the OpenStack Management Server. Use the following structure:

    [
        {
            "name": "attribute-1",
            "id": "id-1"
        },
        {
            "name": "attribute-2",
            "id": "id-2"
        },
        ...
    ]
Note:

A VMware Integrated OpenStack deployment can include only one federated identity provider. You can run viocli federation identity-provider list to display all configured identity providers and viocli federation identity-provider remove to remove them by ID.

Procedure

  1. Log in to the OpenStack Management Server as viouser.
  2. Add your identity provider solution to VMware Integrated OpenStack.
    sudo viocli federation identity-provider add --type saml2
  3. Enter the following information as prompted.

    Option

    Description

    Identity provider name

    Enter a name for the identity provider. This name is used in OpenStack Management Server command-line operations and cannot include special characters or spaces.

    Identity provider display name (for Horizon)

    Enter a display name for the identity provider. This name is shown to users under Authenticate using when they log in to the VMware Integrated OpenStack dashboard.

    Description

    (Optional) Enter a description of the identity provider.

    Do you wish to use URL or local file for IdP metadata?

    Enter url. Obtaining identity provider metadata from a local file is not supported.

    IdP metadata URL

    Enter the URL to the metadata file on your identity provider (for example, https://idp-fqdn/metadata.xml). You must specify the identity provider by FQDN.

    Do not verify certificates when establishing TLS/SSL connections

    Enter false to verify TLS certificates or true to disable certificate verification.

    Do you wish to use a static file or template file for mapping rules

    Enter static to use a static mapping file or template to use a mapping template.

    Enter the local path of mapping rules file

    Enter the path to the mapping rules file on your local system.

    Enter the name of the domain that federated users associate with

    Enter the Keystone domain to which federated users will belong. The domain will be created if it does not exist.

    Enter the name to the groups that federated users associate with (separated by commas ",")

    Enter one or more groups to create for federated users. You must enter all groups that are included in your mapping file. Groups that you enter will be created if they do not exist.

    Do you wish to use a static file or template file for attribute mapping

    Enter static to use a static mapping file or template to use a mapping template.

    Enter the local path of attribute mapping file

    Enter the path to the attribute mapping file on your local system.

  4. Deploy the updated identity configuration.
    sudo viocli identity configure

    Deploying the identity configuration briefly interrupts OpenStack services.

Results

VMware Integrated OpenStack is integrated with your identity provider solution, and federated users and groups are imported into OpenStack. When you access the VMware Integrated OpenStack dashboard, you can choose the specified identity provider to log in as a federated user.

Example: Integrating VMware Integrated OpenStack with Active Directory Federation Services

The following procedure implements identity federation between VMware Integrated OpenStack and Active Directory Federation Services (AD FS). In this example, the public virtual IP address of the VMware Integrated OpenStack deployment is 192.0.2.160 and the AD FS role has been added to a Windows Server virtual machine located at adfs.example.com.

  1. In AD FS, add a relying party trust for VMware Integrated OpenStack.

    1. In AD FS Management, select Action > Add Relying Party Trust....

    2. Click Start.

    3. Select Enter data about the relying party manually and click Next.

    4. Enter OpenStack for the display name and click Next.

    5. Select AD FS profile and click Next.

    6. Click Next.

    7. Select Enable support for the SAML 2.0 WebSSO protocol.

    8. Enter https://192.0.2.160:5000/saml for the relying party URL and click Next.

    9. Enter https://192.0.2.160:5000/saml for the relying party trust identifier, click Add, and click Next.

    10. Select I do not want to configure multi-factor authentication and click Next.

    11. Select Permit all users to access this relying party and click Next.

    12. Click Next, select Edit Claim Rules, and click Close.

    13. Click Add Rule....

    14. Select Pass Through or Filter an Incoming Claim and click Next.

    15. Enter UPN passthrough for the rule name and select UPN for the incoming claim type.

    16. Select Pass through all claim values and click Finish

  2. Log in to the OpenStack Management Server as viouser.

  3. Write the following information to a file named mapping.json.

    [
        {
            "local": [
                {
                    "user": {
                        "name": "{0}",
                    },
                    "group": {
                        "domain": {
                            "name": "adfs-users"
                        },
                        "name": "Federated Users"
                    }
                }
            ],
            "remote": [
                {
                    "type": "upn"
                }
            ]
        }
    ]
  4. Write the following information to a file named attribute.json.

    [
        {
            "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
            "id": "upn"
        }
    ]
  5. Add AD FS as an identity provider.

    sudo viocli federation identity-provider add --type saml2
  6. Enter the information as prompted.

    Identity provider name []: adfs
    Identity provider display name (for Horizon) []: Active Directory Federation Services
    Description []: ADFS deployment
    Do you wish to use URL or local file for IdP metadata? (url, file) [url]: url
    IdP metadata URL []: https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml
    Do not verify certificates when establishing TLS/SSL connections [False]: false
    Do you wish to use a static file or template file for mapping rules? (static, template) [static]: static
    Enter the local path of mapping rules file: mapping.json
    Enter the name of the domain that federated users associate with [Default]: adfs-users
    Enter the name to the groups that federated users associate with (separated by commas ",") []: Federated Users
    Do you wish to use a static file or template file for attribute mapping? (static, template) [static]: static
    Enter the local path of attribute mapping file: attribute.json
  7. Deploy the updated identity configuration.

    sudo viocli identity configure

After the configuration is deployed, open the VMware Integrated OpenStack dashboard. You can now select the AD FS identity provider and log in as a federated user.