Configure Generic SAML 2.0 Federation

You can integrate VMware Integrated OpenStack with any third-party identity provider solution that uses the Security Association Markup Language (SAML) 2.0 protocol.

Important: Third-party identity providers are not supported by VMware. Contact your identity provider administrator to obtain the information required in this procedure.

If you want to integrate VMware Integrated OpenStack with VMware Identity Manager using SAML 2.0, see Configure VMware Identity Manager Federation.

Prerequisites

Deploy your identity provider solution and determine the location of its metadata file.
Ensure that the VMware Integrated OpenStack controller node can access the FQDN of the identity provider solution.
Create a mapping file in JSON format and save it on the OpenStack Management Server. For more information, see Mapping Combinations in the OpenStack documentation.
In your mapping file, do not use federated as the domain name. This name is reserved by Keystone.

Create an SAML attribute mapping file in JSON format and save it on the OpenStack Management Server. Use the following structure:

[
    {
        "name": "attribute-1",
        "id": "id-1"
    },
    {
        "name": "attribute-2",
        "id": "id-2"
    },
    ...
]

Note: A VMware Integrated OpenStack deployment can include only one federated identity provider. You can run viocli federation identity-provider list to display all configured identity providers and viocli federation identity-provider remove to remove them by ID.

Procedure

Log in to the OpenStack Management Server as viouser.
Add your identity provider solution to VMware Integrated OpenStack.
```
sudo viocli federation identity-provider add --type saml2
```

Enter the following information as prompted.

Option	Description
Identity provider name	Enter a name for the identity provider. This name is used in OpenStack Management Server command-line operations and cannot include special characters or spaces.
Identity provider display name (for Horizon)	Enter a display name for the identity provider. This name is shown to users under Authenticate using when they log in to the VMware Integrated OpenStack dashboard.
Description	(Optional) Enter a description of the identity provider.
Do you wish to use URL or local file for IdP metadata?	Enter `url`. Obtaining identity provider metadata from a local file is not supported.
IdP metadata URL	Enter the URL to the metadata file on your identity provider (for example, `https://idp-fqdn/metadata.xml`). You must specify the identity provider by FQDN.
Do not verify certificates when establishing TLS/SSL connections	Enter `false` to verify TLS certificates or `true` to disable certificate verification.
Do you wish to use a static file or template file for mapping rules	Enter `static` to use a static mapping file or `template` to use a mapping template.
Enter the local path of mapping rules file	Enter the path to the mapping rules file on your local system.
Enter the name of the domain that federated users associate with	Enter the Keystone domain to which federated users will belong. The domain will be created if it does not exist. Note: Do not enter `federated` for the domain name. This name is reserved by Keystone.
Enter the name to the groups that federated users associate with (separated by commas ",")	Enter one or more groups to create for federated users. You must enter all groups that are included in your mapping file. Groups that you enter will be created if they do not exist.
Do you wish to use a static file or template file for attribute mapping	Enter `static` to use a static mapping file or `template` to use a mapping template.
Enter the local path of attribute mapping file	Enter the path to the attribute mapping file on your local system.

Deploy the updated identity configuration.
```
sudo viocli identity configure
```
Deploying the identity configuration briefly interrupts OpenStack services.

Results

VMware Integrated OpenStack is integrated with your identity provider solution, and federated users and groups are imported into OpenStack. When you access the VMware Integrated OpenStack dashboard, you can choose the specified identity provider to log in as a federated user.

Example: Example: Integrating VMware Integrated OpenStack with Active Directory Federation Services

The following procedure implements identity federation between VMware Integrated OpenStack and Active Directory Federation Services (AD FS). In this example, the public virtual IP address of the VMware Integrated OpenStack deployment is 192.0.2.160 and the AD FS role has been added to a Windows Server virtual machine located at adfs.example.com.

In AD FS, add a relying party trust for VMware Integrated OpenStack.
1. In AD FS Management, select Action > Add Relying Party Trust....
2. Click Start.
3. Select Enter data about the relying party manually and click Next.
4. Enter OpenStack for the display name and click Next.
5. Select AD FS profile and click Next.
6. Click Next.
7. Select Enable support for the SAML 2.0 WebSSO protocol.
8. Enter https://192.0.2.160:5000/saml for the relying party URL and click Next.
9. Enter https://192.0.2.160:5000/saml for the relying party trust identifier, click Add, and click Next.
10. Select I do not want to configure multi-factor authentication and click Next.
11. Select Permit all users to access this relying party and click Next.
12. Click Next, select Edit Claim Rules, and click Close.
13. Click Add Rule....
14. Select Pass Through or Filter an Incoming Claim and click Next.
15. Enter UPN passthrough for the rule name and select UPN for the incoming claim type.
16. Select Pass through all claim values and click Finish
Log in to the OpenStack Management Server as viouser.

Write the following information to a file named mapping.json.

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "domain": {
                        "name": "adfs-users"
                    },
                    "name": "Federated Users"
                }
            }
        ],
        "remote": [
            {
                "type": "upn"
            }
        ]
    }
]

Write the following information to a file named attribute.json.

[
    {
        "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
        "id": "upn"
    }
]

Add AD FS as an identity provider.

sudo viocli federation identity-provider add --type saml2

Enter the information as prompted.

Identity provider name []: adfs
Identity provider display name (for Horizon) []: Active Directory Federation Services
Description []: ADFS deployment
Do you wish to use URL or local file for IdP metadata? (url, file) [url]: url
IdP metadata URL []: https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml
Do not verify certificates when establishing TLS/SSL connections [False]: false
Do you wish to use a static file or template file for mapping rules? (static, template) [static]: static
Enter the local path of mapping rules file: mapping.json
Enter the name of the domain that federated users associate with [Default]: adfs-users
Enter the name to the groups that federated users associate with (separated by commas ",") []: Federated Users
Do you wish to use a static file or template file for attribute mapping? (static, template) [static]: static
Enter the local path of attribute mapping file: attribute.json

Deploy the updated identity configuration.
```
sudo viocli identity configure
```

After the configuration is deployed, open the VMware Integrated OpenStack dashboard. You can now select the AD FS identity provider and log in as a federated user.