You can integrate VMware Integrated OpenStack with any third-party identity provider solution that uses the Security Association Markup Language (SAML) 2.0 protocol.
If you want to integrate VMware Integrated OpenStack with VMware Identity Manager using SAML 2.0, see Configure VMware Identity Manager Federation.
Prerequisites
- Deploy and configure your identity provider. Determine the location of its metadata file and the value of the entityID attribute in that file.
- Ensure that your VMware Integrated OpenStack deployment can access the FQDN of the identity provider.
- Create a mapping file in JSON format. For more information, see Mapping Combinations in the OpenStack documentation.
- In your mapping file, do not use
federated
as the domain name. This name is reserved by Keystone. - Create an SAML attribute mapping file in JSON format. Use the following structure:
[ { "name": "attribute-1", "id": "id-1" }, { "name": "attribute-2", "id": "id-2" }, ... ]
Procedure
- Log in to the Integrated OpenStack Manager web interface as the
admin
user. - In OpenStack Deployment, click the name of your deployment and open the Manage tab.
- On the Identity Federation tab, click Add.
- From the Federation type drop-down menu, select Generic SAML2.
- Enter the required parameters.
Option Description Name Enter a name for the identity provider.
Description Enter a description of the identity provider.
Attribute mapping Enter additional SAML attributes in JSON format or upload a JSON file containing the desired attributes.
Generic SAML2 insecure Deselect the checkbox to validate the certificates of your identity provider.
Generic SAML2 entity ID Enter the entityID attribute for your identity provider. You can find this value in the federation metadata file.
SAML2 metadata URL Enter the URL to the federation metadata file for your identity provider.
SAML2 mapping Enter SAML mappings in JSON format or upload a JSON file containing the desired mappings.
- (Optional) Select the Advanced settings checkbox to configure additional parameters.
- Under Common advanced settings, enter an OpenStack domain, project, and group into which federated users will be imported.
Note:
- If you do not enter a domain, project, or group, the following default values are used:
- Domain:
federated_domain
- Project:
federated_project
- Group:
federated_group
- Domain:
- Do not enter
federated
as the domain name. This name is reserved by Keystone. - If you provide custom mappings, you must enter all OpenStack domains, projects, and groups that are included in those mappings.
- If you do not enter a domain, project, or group, the following default values are used:
- Under Common advanced settings, enter an OpenStack domain, project, and group into which federated users will be imported.
- Click OK.
Results
VMware Integrated OpenStack is integrated with your identity provider solution, and federated users and groups are imported into OpenStack. When you access the VMware Integrated OpenStack dashboard, you can choose the specified identity provider to log in as a federated user.
Example: Integrating VMware Integrated OpenStack with Active Directory Federation Services
The following procedure implements identity federation between VMware Integrated OpenStack and Active Directory Federation Services (AD FS) based on the User Principal Name (UPN). In this example, the public virtual IP address of the VMware Integrated OpenStack deployment is 192.0.2.160 and the AD FS role has been added to a Windows Server virtual machine located at adfs.example.com. The name of the identity provider in VMware Integrated OpenStack will be set to adfsvio
.
- In AD FS, add a relying party trust for VMware Integrated OpenStack.
- In AD FS Management, select .
- Click Start.
- Select Enter data about the relying party manually and click Next.
- Enter OpenStack for the display name and click Next.
- Select AD FS profile and click Next.
- Click Next.
- Select Enable support for the SAML 2.0 WebSSO protocol.
- Enter https://192.0.2.160:5000/adfsvio/Shibboleth.sso/SAML2 for the relying party URL and click Next.
- Enter https://192.0.2.160:5000/adfsvio for the relying party trust identifier, click Add, and click Next.
- Select I do not want to configure multi-factor authentication and click Next.
- Select Permit all users to access this relying party and click Next.
- Click Next, select Edit Claim Rules, and click Close.
- Click Add Rule....
- Select Pass Through or Filter an Incoming Claim and click Next.
- Enter UPN passthrough for the rule name and select UPN for the incoming claim type.
- Select Pass through all claim values and click Finish
- Log in to the Integrated OpenStack Manager web interface as the
admin
user. - In OpenStack Deployment, click the name of the deployment and open the Manage tab.
- On the Identity Federation tab, click Add.
- From the Federation type drop-down menu, select Generic SAML2.
- Enter the following configuration.
Option Description Name adfsvio Description AD FS identity provider Attribute mapping [ { "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "id": "upn" } ]
Generic SAML2 entity ID http://adfs.example.com/adfs/services/trust SAML2 metadata URL https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml SAML2 mapping [ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "adfs-users" }, "name": "Federated Users" } } ], "remote": [ { "type": "upn" } ] } ]
- Select the Advanced settings checkbox.
- Select Common advanced settings and enter the following configuration.
Option Description Domain adfs-users Project Leave the field blank.
Group Federated Users
After the configuration is verified and updated, open the VMware Integrated OpenStack dashboard. You can now select the AD FS identity provider and log in as a federated user.
What to do next
If you need to delete a configured identity provider, first select it in the Integrated OpenStack Manager web interface and click Delete. Then log in to the VMware Integrated OpenStack dashboard, select , select the desired provider, and click Unregister Identity Providers.