Horizon gives 401 authentication issue with OIDC

asked 2017-06-05 04:24:22 -0600

sanjana gravatar image

updated 2017-06-05 04:26:58 -0600

I have used devstack to install openstack on my system running ubuntu 16.04. Additionally I have configured federation in keystone.The below are the changes i have made I have modified the following in horizon: /opt/stack/horizon/openstack-dashboard/local/local_settings.py

WEBSSO_ENABLED = True

WEBSSO_CHOICES = (
  ("mapped", _("Authenticate Externally")),
)

Keystone: /etc/keystone/keystone.conf

[federation]
remote_id_attribute = HTTP_OIDC_ISS
trusted_dashboard = http://<fqdn or IP>/dashboard/auth/websso/`

Keystone: /etc/apache2/sites-available/wsgi-keystone.conf *
*
/etc/apache2/sites-available/keystone.conf

# Configure OIDC
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <Google Client ID>
OIDCClientSecret <Google Client Secret>
OIDCCryptoPassphrase openstack
OIDCRedirectURI http://<SP fqdn>/identity/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth
OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/websso
OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso

# For keystone
<LocationMatch /identity/v3/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth>
  AuthType openid-connect
  Require valid-user
  LogLevel debug
</LocationMatch>

# For horizon
<Location ~ "/identity/v3/auth/OS-FEDERATION/websso/mapped">
  AuthType openid-connect
  Require valid-user
</Location>
<Location ~ "/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso">
  AuthType openid-connect
  Require valid-user
</Location>`

Other settings:

source accrc/admin/admin
export OS_IDENTITY_API_VERSION=3
openstack domain create federated_domain
openstack group create federated_users
openstack role add --group federated_users --domain federated_domain admin
openstack identity provider create --remote-id https://accounts.google.com myidp
  1. I basically want to know if i have to make changes in /etc/apache2/sites-available/wsgi-keystone.conf or /etc/apache2/sites-available/keystone.conf ? (guide only tells modify the vhost file)
  2. Is there any other configuration that i am missing
edit retag flag offensive close merge delete