You can integrate VMware Integrated OpenStack with any third-party identity provider solution that uses the Security Association Markup Language (SAML) 2.0 protocol. The Keystone in VMware Integrated OpenStack works as the service provider for this configuration.
- VMware does not support third-party identity providers. Contact your identity provider administrator for obtaining the information required for this procedure.
- Do not connect VMware Integrated OpenStack with both LDAP Authentication and Federation which have the same AD backend.
If you want to integrate VMware Integrated OpenStack with VMware Identity Manager using SAML 2.0, see Configure VMware Identity Manager Federation.
Prerequisites
- Determine the location of your identity providers metadata file and the entityID attribute in the file.
- Ensure that your VMware Integrated OpenStack deployment can access the FQDN of the identity provider.
- For SAML2 Attribute Mapping, Keystone uses Shibboleth as the SSO component. Shibboleth maps the IdP user attributes to the local attributes used by Keystone. Contact your IdP admin for the user attributes.
- For SAML2 Rule Mapping, Keystone requires rules for mapping the remote users to local domains, projects, and groups. For more information, see Mapping Combinations in the OpenStack documentation.
- On the identity provider side, you must properly configure the service provider. The service provider metadata can be accessed with the following URL: https://<vio_public_endpoint>:5000/<your_idp_name>/Shibboleth.sso/Metadata
Procedure
Results
VMware Integrated OpenStack is integrated with your identity provider solution, and federated users and groups are imported into OpenStack. When you access the VMware Integrated OpenStack dashboard, you can select the specified identity provider to log in as a federated user.
Example: Integrating VMware Integrated OpenStack with Active Directory Federation Services
The following procedure implements identity federation between VMware Integrated OpenStack and Active Directory Federation Services (ADFS) based on the User Principal Name (UPN). The procedure of ADFS configuration is an example for your reference, the real enterprise configuration can be different. You must change the corresponding VMware Integrated OpenStack SAML configuration.
In this example, the public virtual IP address of the VMware Integrated OpenStack deployment is 192.0.2.160 and the ADFS role is part of the Windows Server virtual machine located at adfs.example.com. The name of the identity provider in VMware Integrated OpenStack is adfsvio
.
- In ADFS, add a relying party trust for VMware Integrated OpenStack.
- In ADFS Management, select .
- Click Start.
- Select Enter data about the relying party manually and click Next.
- Enter OpenStack for the display name and click Next.
- Select ADFS profile and click Next.
- Click Next.
- Select Enable support for the SAML 2.0 WebSSO protocol.
- Enter https://192.0.2.160:5000/adfsvio/Shibboleth.sso/SAML2 for the relying party URL and click Next.
- Enter https://192.0.2.160:5000/adfsvio for the relying party trust identifier, click Add and click Next.
- Select I do not want to configure multi-factor authentication and click Next.
- Select Permit all users to access this relying party and click Next.
- Click Next, select Edit Claim Rules and click Close.
- Click Add Rule....
- Select Pass Through or Filter an Incoming Claim and click Next.
- Enter UPN passthrough for the rule name and select UPN for the incoming claim type.
- Select Pass through all claim values and click Finish.
- Log in to the Integrated OpenStack Manager web interface as the
admin
user. - In OpenStack Deployment, click the name of the deployment and open the Manage tab.
- On the Identity Federation tab, click Add.
- From the Federation type drop-down menu, select Generic SAML2.
- Enter the following configuration:
Option Description Name adfsvio Description ADFS identity provider Attribute mapping [ { "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "id": "upn" } ]
Generic SAML2 entity ID http://adfs.example.com/adfs/services/trust SAML2 metadata URL https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml SAML2 mapping [ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "adfs-users" }, "name": "Federated Users" } } ], "remote": [ { "type": "upn" } ] } ]
- Select the Advanced settings checkbox.
- Select Common advanced settings and enter the following configuration.
Option Description Domain adfs-users Project Leave the text box blank.
Group Federated Users
After the configuration verification and update is finish, open the VMware Integrated OpenStack dashboard. You can now select the ADFS identity provider and log in as a federated user.
What to do next
To delete a configured identity provider, select the Integrated OpenStack Manager web interface and click Delete. Then log in to the VMware Integrated OpenStack dashboard, select , select the desired provider, and click Unregister Identity Providers.