Configure SAML 2.0 Federation

You can integrate VMware Integrated OpenStack with any third-party identity provider solution that uses the Security Association Markup Language (SAML) 2.0 protocol. The Keystone in VMware Integrated OpenStack works as the service provider for this configuration.

Important:

VMware does not support third-party identity providers. Contact your identity provider administrator for obtaining the information required for this procedure.
Do not connect VMware Integrated OpenStack with both LDAP Authentication and Federation which have the same AD backend.

If you want to integrate VMware Integrated OpenStack with VMware Identity Manager using SAML 2.0, see Configure VMware Identity Manager Federation.

Prerequisites

Determine the location of your identity providers metadata file and the entityID attribute in the file.
Ensure that your VMware Integrated OpenStack deployment can access the FQDN of the identity provider.
For SAML2 Attribute Mapping, Keystone uses Shibboleth as the SSO component. Shibboleth maps the IdP user attributes to the local attributes used by Keystone. Contact your IdP admin for the user attributes.
For SAML2 Rule Mapping, Keystone requires rules for mapping the remote users to local domains, projects, and groups. For more information, see Mapping Combinations in the OpenStack documentation.
On the identity provider side, you must properly configure the service provider. The service provider metadata can be accessed with the following URL: https://<vio_public_endpoint>:5000/<your_idp_name>/Shibboleth.sso/Metadata

Procedure

Log in to the Integrated OpenStack Manager web interface as the admin user.
In OpenStack Deployment, click the name of your deployment and open the Manage tab.
On the Keystone Federation tab, click Add.
From the Federation type drop-down menu, select Generic SAML2.

Enter the required parameters.

Option	Description
Name	Enter a name for the identity provider. VMware Integrated OpenStack uses this name for creating OpenStack identity provider.
Description	Enter a description for the identity provider.
Attribute mapping	Enter additional SAML attributes in JSON format or upload a JSON file containing the desired attributes. VMware Integrated OpenStack uses the JSON data for configuring the Shibboleth `attribute-map.xml` file.
Generic SAML2 insecure	Deselect the check box so that you can validate the certificates of your identity provider.
Generic SAML2 entity ID	Enter the entityID attribute for your identity provider. You can find this value in the federation metadata file. VMware Integrated OpenStack uses this value for creating OpenStack identity provider.
SAML2 metadata URL	Enter the URL to the federation metadata file for your identity provider. VIO manager can access this URL for downloading the metadata file.
SAML2 mapping	Enter SAML mappings in JSON format or upload a JSON file containing the desired mappings. VMware Integrated OpenStack uses this value for creating OpenStack mapping and sets it to the federation protocol for this identity provider.

Attribute mapping format and examples:

[
      {
        "name": "urn:oid:0.9.2342.19200300.100.1.1",
        "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
        "id": "username"
      },
      {
        "name": "urn:oid:0.9.2342.19200300.100.1.3",
        "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:uri",
        "id": "email"
      }
    ]


Option	Description
name	Enter the attribute name. Keystone requires at least one attribute which can be used as users unique identification. For example, username, email, and so on. Contact your IdP admin for determining the attribute name, it can be different from the IdP servers.
nameFormat	Enter the attribute name format. Contact your IdP admin for determining the format value. This attribute is optional.
id	Enter the string value for this attribute. Do not use space for the string value. For example, do not use "user name", instead use "username". This value can be used in Mapping Rules as remote:type.

SAML2 Rule Mapping format and examples:

[
  {
    "local": [
      {
        "user": {
          "name": "{1}"
        },
        "group": {
          "name": "federated_users",
          "domain": {
            "name": "federated_domain"
          }
        }
      }
    ],
    "remote": [
      {
        "type": "username"
      },	
      {
        "type": "email"
      }
    ]
  }
]

You can find the rule mapping definition under Mapping Combinations for Keystone in OpenStack community.


Option	Description
local	The JSON defines the OpenStack local domains and projects. This attribute can be used for users mapped from IdP. For example, in SAML2 Rule Mapping, "name": "{1}" is same as using "type": "email" as the login name for Keystone, and login for the specified domain and project.
remote	The section defines the rules and conditions for mapping the remote attributes.

(Optional) Select the Advanced settings check box for configuring domain, projects, and group parameters.
1. Under Common advanced settings, enter federated_domain as OpenStack domain, federated_project as project, and federated_group as group.
2. The OpenStack domain, project, and group name must match the information provided in Rule Mapping "local" JSON.
3. VMware Integrated OpenStack creates the domain and project for the specified federation users.
  
  Note: Do not enter federated as the domain name because this name is used by Keystone.
Click OK.

Note: After you finish the SAML2 configuration, you can see that the Keystone service is restarting automatically. Before downloading the metadata, ensure that your deployment status has changed to RUNNING by executing viocli get deployment.
Ensure that https://<vio_public_endpoint>:5000/<your_idp_name>/Shibboleth.sso/Metadata is accessible, and configure your IdP service for trusting VMware Integrated OpenStack Keystone as the service provider.

Results

VMware Integrated OpenStack is integrated with your identity provider solution, and federated users and groups are imported into OpenStack. When you access the VMware Integrated OpenStack dashboard, you can select the specified identity provider to log in as a federated user.

Note: When using identity federation, you must access the VMware Integrated OpenStack dashboard over the public OpenStack endpoint. Do not use the private OpenStack endpoint or a controller IP address to log in as a federated user.

Example: Integrating VMware Integrated OpenStack with Active Directory Federation Services

The following procedure implements identity federation between VMware Integrated OpenStack and Active Directory Federation Services (ADFS) based on the User Principal Name (UPN). The procedure of ADFS configuration is an example for your reference, the real enterprise configuration can be different. You must change the corresponding VMware Integrated OpenStack SAML configuration.

In this example, the public virtual IP address of the VMware Integrated OpenStack deployment is 192.0.2.160 and the ADFS role is part of the Windows Server virtual machine located at adfs.example.com. The name of the identity provider in VMware Integrated OpenStack is adfsvio.

In ADFS, add a relying party trust for VMware Integrated OpenStack.
1. In ADFS Management, select Action > Add Relying Party Trust....
2. Click Start.
3. Select Enter data about the relying party manually and click Next.
4. Enter OpenStack for the display name and click Next.
5. Select ADFS profile and click Next.
6. Click Next.
7. Select Enable support for the SAML 2.0 WebSSO protocol.
8. Enter https://192.0.2.160:5000/adfsvio/Shibboleth.sso/SAML2 for the relying party URL and click Next.
9. Enter https://192.0.2.160:5000/adfsvio for the relying party trust identifier, click Add and click Next.
10. Select I do not want to configure multi-factor authentication and click Next.
11. Select Permit all users to access this relying party and click Next.
12. Click Next, select Edit Claim Rules and click Close.
13. Click Add Rule....
14. Select Pass Through or Filter an Incoming Claim and click Next.
15. Enter UPN passthrough for the rule name and select UPN for the incoming claim type.
16. Select Pass through all claim values and click Finish.
Log in to the Integrated OpenStack Manager web interface as the admin user.
In OpenStack Deployment, click the name of the deployment and open the Manage tab.
On the Identity Federation tab, click Add.
From the Federation type drop-down menu, select Generic SAML2.

Enter the following configuration:


Option	Description
Name	`adfsvio`
Description	`ADFS identity provider`
Attribute mapping	[ { "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "id": "upn" } ]
Generic SAML2 entity ID	`http://adfs.example.com/adfs/services/trust`
SAML2 metadata URL	`https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml`
SAML2 mapping	[ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "adfs-users" }, "name": "Federated Users" } } ], "remote": [ { "type": "upn" } ] } ]

Select the Advanced settings checkbox.

Select Common advanced settings and enter the following configuration.


Option	Description
Domain	`adfs-users`
Project	Leave the text box blank.
Group	`Federated Users`

After the configuration verification and update is finish, open the VMware Integrated OpenStack dashboard. You can now select the ADFS identity provider and log in as a federated user.

What to do next

To delete a configured identity provider, select the Integrated OpenStack Manager web interface and click Delete. Then log in to the VMware Integrated OpenStack dashboard, select Identity > Federation > Identity Providers, select the desired provider, and click Unregister Identity Providers.