• "The whole is greater than the sum of its parts."





Configuring OpenStack for Single Sign On with Globus and Joining the Aristotle Federation

Registering a Globus Auth Client

Go to https://developers.globus.org. Click on "Register your app with Globus".

  1. Add a new project and app using the following parameters:
    • Scopes: "openid email profile"
    • Redirects: https://<cloud controller public host name>:<keystone port>/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect
      • The default is 5000. Aristotle clouds are encouraged to run keystone on port 8770 because port 5000 is blocked by many ISPs.
    • Native App: leave unchecked
  2. After the app is created, generate a client secret using the "Generate New Client Secret" button. Note down the client ID and client secret.

Globus Auth Documentation is available at https://docs.globus.org/api/auth/

Configuring Horizon

Add the following lines to /etc/openstack-dashboard/local_settings:

WEBSSO_ENABLED = True

WEBSSO_CHOICES = (
    ("credentials", _("Keystone Credentials")),
    ("globus", _("Globus Auth")),
)

WEBSSO_IDP_MAPPING = {
    "credentials": ("credentials", "password"),
    "globus": ("globus", "openidc"),
}

Restart Horizon for change to take effect:

systemctl restart httpd

Configuring Keystone

Configure Keystone to:

  • run as an apache WSGI web app, and
  • SSL is enabled because Globus Auth requires SSL for redirect URI.
  1. Create a globus domain: 
    openstack domain create globus
  2. Insert the following lines in /etc/httpd/conf.d/10-keystone_wsgi_main.conf: 
    LoadModule auth_openidc_module modules/mod_auth_openidc.so
OIDCClaimPrefix "OIDC-"
OIDCResponseType "code"
OIDCScope "openid email profile"
OIDCProviderMetadataURL "https://auth.globus.org/.well-known/openid-configuration"
OIDCClientID ""
OIDCClientSecret ""
OIDCCryptoPassphrase ""

OIDCRedirectURI "https://:5000/v3/OS-FEDERATION/identity_providers/globus/protocols/openidc/auth/redirect"

    AuthType "openid-connect"
    Require valid-user


OIDCRedirectURI "https://:5000/v3/auth/OS-FEDERATION/identity_providers/globus/protocols/openidc/websso/redirect"

    AuthType "openid-connect"
    Require valid-user
  3. Insert the following lines in /etc/keystone/keystone.conf: 
    [auth]
methods = password,token,openidc
openidc=keystone.auth.plugins.mapped.Mapped

[federation]
remote_id_attribute = HTTP_OIDC_ISS
federated_domain_name = globus
trusted_dashboard=https:///dashboard/auth/websso/
  4. Restart Keystone for changes to take effect. 
    systemctl restart httpd
  5. Create the globus identity provider: 
    openstack identity provider create --remote-id https://auth.globus.org --domain globus globus
  6. Send email to get access to the mapping script that maps identities from the Aristotle portal user accounts data. Provide the IP address of your cloud controller host in order to request access to Aristotle user accountsIn the script, substitute the appropriate aristotle_domain and aristotle_mapping_name.
  7. Set up a cron job to run the mapping script periodically to update the mapping file. Send email to request more details on configuring the mapping file.