openstack keycloak freeipa

Prerequisites

FreeIPA and OpenStack is already configured. OpenStack is configured using Kolla Ansible.
Keycloak is already configured and federated with FreeIPA (directory service).

In this example the current IP and port that has been used

Keycloak: http://10.20.20.14:8081
OpenStack: http://10.20.20.100:5000

Setup OpenID configuration on Keycloak

This operation is performed on the Keycloak Dashboard.

Go to the realm that previously created, for example "freeipa-realm", select Configure > Clients > Create, then fill the following section
```
 Client ID: openstack-client 
 Client Protocol: openid-connect
```

Adjust the authentication flow using OpenID.

 Client ID: openstack-client 
 Client Protocol: openid-connect
 Access Type: Confidential # define the username/password mechanism
 Standard Flow Enabled: On
 Implicit Flow Enabled: On
 Direct Access Grants Enabled: On

 Valid Redirect URIs *: https://10.20.20.100:5000/v3/OS-FEDERATION/identity_providers/openidtest/protocols/openid/auth 
 Backchannel Logout Session Required: On

Note: The valid redirect URIs must match the endpoint on OpenStack Keystone

On Clients > Credentials tab, you will see the Client ID and Secret.
```
 Client Authenticator: Client ID
 Secret: XXXXXXXXXXXXX
```

Configure OpenID on Keystone and Horizon

This operation is performed on the OpenStack host.

Create directories for Keystone and Horizon services. This directory is used to put the configured files.
```
 $ sudo mkdir /etc/kolla/config/horizon
 $ sudo mkdir /etc/kolla/config/keystone
```

Create the file and change the owner.

 $ sudo touch /etc/kolla/config/horizon/local_settings
 $ sudo touch /etc/kolla/config/keystone/keystone.conf
 $ sudo touch /etc/kolla/config/keystone/wsgi-keystone.conf

 $ sudo chown -R $USER:$USER /etc/kolla/config/horizon/
 $ sudo chown -R $USER:$USER /etc/kolla/config/keystone/

Configure federating resource on Keystone service

Create identity provider object on Keystone

Remote id value is an issuer on OpenID. To see the issuer you can obtained from the OpenID configuration. By accessing the Keycloak .well-known/openid-configuration endpoint.

For example:
http://10.20.20.14:8081/auth/realms/freeipa-realm/.well-known/openid-configuration

Then, create the object by running the command below
```
 $ openstack identity provider set --remote-id http://10.20.20.14:8081/auth/realms/freeipa-realm openidtest
```

Create a mapping rules for remote user attribute. The file created is in the form of json with the name rules.json.

 $ cat > rules.json <<EOF
 [
     {
         "local": [
             {
                 "user": {
                     "name": "{0}"
                 },
                 "group": {
                     "domain": {
                         "name": "Default"
                     },
                     "name": "federated_users"
                 }
             }
         ],
         "remote": [
             {
                 "type": "HTTP_OIDC_ISS"
             }
         ]
     }
 ]
 EOF

 $ openstack mapping create --rules rules.json openidtest_mapping

Create a group for the role assignment on Keystone
```
 $ openstack group create federated_users
```

Create a project on Keystone

 $ openstack project create federated_project

Define the roles for group members

 $ openstack role add --group federated_users --project federated_project member

Create a federation protocol for the identity provider based on the mapping rules that has been created.
```
 $ openstack federation protocol create openid --mapping openidtest_mapping --identity-provider openidtest
```
Note: make sure the federation protocol name matches the specified valid keystone authentication rules, such as openid and saml2.

https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#sp-prerequisites

Configure Apache Authentication Module to OpenID-Connect

Create a protected endpoint


 # Keystone
 <Location /v3/OS-FEDERATION/identity_providers/<IDENTITYPROVIDER>/protocols/<PROTOCOL>/auth>
 Require valid-user
 AuthType [...]
 ...
 </Location>

 # Horizon (SSO)
 <Location /v3/auth/OS-FEDERATION/websso/<PROTOCOL>>
 Require valid-user
 AuthType [...]
 ...
 </Location>

 <Location /v3/auth/OS-FEDERATION/identity_providers/<IDENTITYPROVIDER>/protocols/<PROTOCOL>/websso>
 Require valid-user
 AuthType [...]
 ...
 </Location>

Configure the authentication module

This configuration is for Apache web server on virtualhost keystone, set to OIDC option.

 OIDCClaimPrefix "OIDC-"
 OIDCResponseType "id_token"
 OIDCScope "openid email profile"
 OIDCProviderMetadataURL https://<URL_IDENTITY_PROVIDER>/.well-known/openid-configuration
 OIDCClientID <openid_client_id>
 OIDCClientSecret <openid_client_secret>
 OIDCCryptoPassphrase <random string> # random string
 OIDCRedirectURI https://<URL_HORIZON>/v3/OS-FEDERATION/identity_providers/<IDENTITYPROVIDER>/protocols/<PROTOCOL>/auth

Then add the configuration to /etc/kolla/config/keystone/wsgi-keystone.conf.

 <VirtualHost *:5000>
 ….
 ….

 ServerName https://10.20.20.100:5000
 OIDCClaimPrefix "OIDC-"
 OIDCResponseType "id_token"
 OIDCScope "openid email profile"
 OIDCProviderMetadataURL http://10.20.20.14:8081/auth/realms/freeipa-realm/.well-known/openid-configuration 
 OIDCClientID openstack-client # keycloak client id
 OIDCClientSecret xxxx-xxxx-xxxx-xxxx-xxxx # keycloak client secret
 OIDCCryptoPassphrase openstack
 OIDCRedirectURI https://10.20.20.100:5000/v3/OS-FEDERATION/identity_providers/openidtest/protocols/openid/auth 

 # Keystone
 <Location /v3/OS-FEDERATION/identity_providers/openidtest/protocols/openid/auth>
     Require valid-user
     AuthType openid-connect
     LogLevel debug
 </Location>

 # Horizon
 <Location /v3/auth/OS-FEDERATION/websso/openid>
     Require valid-user
     AuthType openid-connect
 </Location>

 <Location /v3/auth/OS-FEDERATION/identity_providers/openidtest/protocols/openid/websso>
     Require valid-user
     AuthType openid-connect
 </Location>

 ...
 ...
 ...
 </VirtualHost>

OIDCProviderMetadataURL is located in freeipa-realm > Configure > Realm Settings, then select Endpoints and click "Endpoints OpenID Endpoint Configuration". *

Configure Keystone

This configuration is performed on /etc/kolla/config/keystone/keystone.conf.

Add the authentication method.

 [auth]
 methods = password,token,saml2,openid

Configure the remote ID attribute.

 [openid]
 remote_id_attribute = HTTP_OIDC_ISS

 [federation]
 remote_id_attribute = HTTP_OIDC_ISS

Add the Trusted Dashboard (WebSSO).

 [federation]
 trusted_dashboard = https://10.20.20.100/auth/websso/
 sso_callback_template = /etc/keystone/sso_callback_template.html

Configure Horizon

The configuration is performed on /etc/kolla/config/horizon/local_settings.

Enable the SSO
```
 WEBSSO_ENABLED = True
```

Configure the provider for SSO

 WEBSSO_CHOICES = (
     ("credentials", _("Keystone Credentials")),
     ("openidtest_openid", "Keycloak - OpenID Connect"),
 )

 # NOTE: The value is expected to be a tuple formatted as: (<idp_id>, <protocol_id>).
 WEBSSO_IDP_MAPPING = {
     "openidtest_openid": ("openidtest", "openid"),
 }

Reconfigure OpenStack

 $ kolla-ansible -i multinode reconfigure

Reference

https://docs.openstack.org/keystone/ussuri/admin/federation/configure_federation.html#create-a-mapping

https://github.com/keycloak/keycloak-documentation/blob/master/securing_apps/topics/oidc/mod-auth-openidc.adoc

http://wsfdl.com/openstack/2016/02/01/Keystone-Google-Federation-With-OpenID.html

https://www.meshcloud.io/2017/08/25/federated-authentication-with-the-openstack-cli/

https://docs.openstack.org/keystone/pike/configuration/samples/keystone-conf.html

http://www.gazlene.net/federation-devstack.html

Federation and Identity Brokering on OpenStack using OpenID and Keycloak + FreeIPA