Name: request-header-saml-service-provider
Owner: OpenShift
Description: A pod for running a RequestHeaderIdentityProvider service
Created: 2016-06-13 17:31:46.0
Updated: 2017-08-25 05:40:23.0
Pushed: 2018-01-26 09:43:00.0
Homepage: null
Size: 40
Language: Shell
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
This Docker image is used for SAML authentication.
The deployment of this pod involves loading a template and using it to create a new application. This running pod will mount in secrets for all custom configuration.
Create the secret for the httpd saml configuration files (saml-sp.cert,
saml-sp.key, saml-sp.xml, sp-idp-metadata.xml). Asuming an EntityID of
https://sp.example.org/mellon
and a mellon service running at the same
location the first three files can be generated automatically using the
following command:
r ./httpd-saml-config
on_create_metadata.sh https://sp.example.org/mellon https://sp.example.org/mellon
te, Secrets cannot have key names with an 'underscore' in them, so when
eating metadata files with `mellon_create_metadata.sh` the resulting files
st be renamed appropriately.
aml_sp.cert saml-sp.cert
aml_sp.key saml-sp.key
aml_sp.xml saml-sp.xml
The sp-idp-metadata.xml must be supplied by your Identity Provider.
ecrets new httpd-saml-config-secret ./httpd-saml-config
This certifcate is used by the saml service provider pod to make a secure request to the Master. Using all the defaults a suitable file can be created as follows:
create-api-client-config --certificate-authority='/etc/origin/master/ca.crt' \
--client-dir='/etc/origin/master/' \
--signer-cert='/etc/origin/master/ca.crt' \
--signer-key='/etc/origin/master/ca.key' \
--signer-serial='/etc/origin/master/ca.serial.txt' \
--user='system:proxy'
r ./httpd-ose-certs
/etc/origin/master/system\:proxy.crt /etc/origin/master/system\:proxy.key > ./httpd-ose-certs/authproxy.pem
etc/origin/master/ca.crt httpd-ose-certs/ca.crt
Now create the secret:
ecrets new httpd-ose-certs-secret ./httpd-ose-certs
The saml service provider pod will itself expose a TLS endpoint. The OpenShift Router will use TLS passthrough to allow it to terminate the connection. For testing purposes a self-signed certificate may be used:
r ./httpd-server-certs
ke sure you input the saml service provider hostname for the Common Name
ssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ./httpd-server-certs/server.key
ssl req -new -key ./httpd-server-certs/server.key -out /tmp/server.csr
ssl x509 -req -days 365 -in /tmp/server.csr -signkey ./httpd-server-certs/server.key -out ./httpd-server-certs/server.crt
Now create the secret:
ecrets new httpd-server-certs-secret ./httpd-server-certs
Optional: Create a secret for a custom CA (secret and cert names must be unique)
ecrets new my-ca-cert-secret ./my-ca.crt
It's likely you will need to update the value of some secrets. To do this simply delete the secret and recreate it. Then trigger a new deployment.
elete secret <secret name>
ecrets new <secret name> <path>
ollout latest saml-auth
Add saml-auth template to OSE - (required parameters: APPLICATION_DOMAIN, PROXY_PATH, PROXY_DESTINATION)
reate -f ./saml-auth.template -n openshift
Create a new application (test with '-o json', remove when satisfied with the result)
ew-app saml-auth \
-p APPLICATION_DOMAIN=sp.example.org -p PROXY_PATH=/oauth/ -p PROXY_DESTINATION=https://ose.example.com:8443/oauth/ -o json
Mount the secret for the SAML configuration (saml-sp.cert,saml-sp.key,saml-sp.xml,sp-idp-metadata.xml)
olume deploymentconfigs/saml-auth \
--add --overwrite --name=httpd-saml-config --mount-path=/etc/httpd/conf/saml \
--type=secret --secret-name=httpd-saml-config-secret
Mount the secret for OSE certs (authproxy.pem,ca.crt)
olume deploymentconfigs/saml-auth \
--add --overwrite --name=httpd-ose-certs --mount-path=/etc/httpd/conf/ose_certs \
--type=secret --secret-name=httpd-ose-certs-secret
Mount the secret for server certs (server.crt,server.key)
olume deploymentconfigs/saml-auth \
--add --overwrite --name=httpd-server-certs --mount-path=/etc/httpd/conf/server_certs \
--type=secret --secret-name=httpd-server-certs-secret
Optional: Mount the secret for a custom CA cert (duplicate as required)
olume deploymentconfigs/saml-auth \
--add --overwrite --name=my-ca-cert --mount-path=/etc/pki/ca-trust/source/anchors/my-ca.crt \
--type=secret --secret-name=my-ca-cert-secret
The template defines replicas as 0. This pod can be scaled to multiple replicas for high availability.
cale --replicas=1 dc saml-auth
After that command runs you will likely see several deployments for each of the volumes that are mounted.
Update /etc/origin/master/master-config.yaml:
hConfig:
setPublicURL: https://ose.example.com:8443/console/
antConfig:
method: auto
entityProviders:
name: saml
challenge: false
login: true
mappingMethod: add
provider:
apiVersion: v1
kind: RequestHeaderIdentityProvider
loginURL: "https://sp.example.org/oauth/authorize?${query}"
clientCA: /etc/origin/master/ca.crt
headers:
- Remote-User
sterCA: ca-bundle.crt
tConfig:
goutURL: "https://sp.example.org/mellon/logout?ReturnTo=https://sp.example.org/logged_out.html"
Restart the master(s) at this point for the configuration to take effect.
If building the image locally or pulling from another location it's helpful to create an ImageStream to simplify ongoing deployments. As the cluster-admin this can be accomplished as follows:
eate a project for hosting the images
ew-project openshift3
low all authenticated users to pull this image
policy add-cluster-role-to-group system:image-puller system:authenticated -n openshift3
At this point you can either manually build the image or pull it from another location.
Create the docker image
er build --tag=saml-service-provider .
Since the builder service account has access to create ImageStreams in the
openshift3
project we can use its token.
er login -u unused -e unused -p `oc sa get-token builder -n openshift3` 172.30.36.214:5000
nd the internal registry IP or use DNS. In this example 172.30.36.214 is
e internal registry.
et services | grep docker-registry
er tag <your.local.image/saml-service-provider> 172.30.36.214:5000/openshift3/saml-service-provider
er push 172.30.36.214:5000/openshift3/saml-service-provider
this is your first time deploying the saml pod you will need to manually scale up
cale --replicas=1 dc saml-auth