Configuring OpenStack for Single Sign On with Globus and Joining the Aristotle Federation

Registering a Globus Auth Client

Go to https://developers.globus.org. Click on "Register your app with Globus".

  1. Add a new project and app using the following parameters:
    • Scopes: "openid email profile"
    • Redirects: https://:/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect
      • The default is 5000. Aristotle clouds are encouraged to run keystone on port 8770 because port 5000 is blocked by many ISPs.
    • Native App: leave unchecked
  2. After the app is created, generate a client secret using the "Generate New Client Secret" button. Note down the client ID and client secret.

Globus Auth Documentation is available at https://docs.globus.org/api/auth/

Configuring Horizon

Add the following lines to /etc/openstack-dashboard/local_settings:

WEBSSO_ENABLED = True

WEBSSO_CHOICES = (
    ("credentials", _("Keystone Credentials")),
    ("globus", _("Globus Auth")),
)

WEBSSO_IDP_MAPPING = {
    "credentials": ("credentials", "password"),
    "globus": ("globus", "openidc"),
}

Restart Horizon for change to take effect:

systemctl restart httpd

Configuring Keystone

Configure Keystone to:

  • run as an apache WSGI web app, and
  • SSL is enabled because Globus Auth requires SSL for redirect URI.
  1. Create a globus domain:
    openstack domain create globus
  2. Insert the following lines in /etc/httpd/conf.d/10-keystone_wsgi_main.conf:
    LoadModule auth_openidc_module modules/mod_auth_openidc.so
    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "code"
    OIDCScope "openid email profile"
    OIDCProviderMetadataURL "https://auth.globus.org/.well-known/openid-configuration"
    OIDCClientID ""
    OIDCClientSecret ""
    OIDCCryptoPassphrase ""
    
    OIDCRedirectURI "https://:5000/v3/OS-FEDERATION/identity_providers/globus/protocols/openidc/auth/redirect"
    
        AuthType "openid-connect"
        Require valid-user
    
    
    OIDCRedirectURI "https://:5000/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect"
    
        AuthType "openid-connect"
        Require valid-user
    
  3. Insert the following lines in /etc/keystone/keystone.conf:
    [auth]
    methods = password,token,openidc
    openidc=keystone.auth.plugins.mapped.Mapped
    
    [federation]
    remote_id_attribute = HTTP_OIDC_ISS
    federated_domain_name = globus
    trusted_dashboard=https:///dashboard/auth/websso/
  4. Restart Keystone for changes to take effect.
    systemctl restart httpd
  5. Create the globus identity provider:
    openstack identity provider create --remote-id https://auth.globus.org --domain globus globus
  6. Send email to get access to the mapping script that maps identities from the Aristotle portal user accounts data. Provide the IP address of your cloud controller host in order to request access to Aristotle user accountsIn the script, substitute the appropriate aristotle_domain and aristotle_mapping_name.
  7. Set up a cron job to run the mapping script periodically to update the mapping file. Send email to request more details on configuring the mapping file.