CD2H gitForager

openshift/request-header-saml-service-provider

Name: request-header-saml-service-provider

Owner: OpenShift

Description: A pod for running a RequestHeaderIdentityProvider service

Created: 2016-06-13 17:31:46.0

Updated: 2017-08-25 05:40:23.0

Pushed: 2018-01-26 09:43:00.0

Homepage: null

Size: 40

Language: Shell

GitHub Committers

User	Most Recent Commit	# Commits

Other Committers

User	Email	Most Recent Commit	# Commits

README

This Docker image is used for SAML authentication.

OpenShift Instructions

The deployment of this pod involves loading a template and using it to create a new application. This running pod will mount in secrets for all custom configuration.

SAML Metadata

Create the secret for the httpd saml configuration files (saml-sp.cert, saml-sp.key, saml-sp.xml, sp-idp-metadata.xml). Asuming an EntityID of https://sp.example.org/mellon and a mellon service running at the same location the first three files can be generated automatically using the following command:

r ./httpd-saml-config

on_create_metadata.sh https://sp.example.org/mellon https://sp.example.org/mellon

te, Secrets cannot have key names with an 'underscore' in them, so when
eating metadata files with `mellon_create_metadata.sh` the resulting files
st be renamed appropriately.
aml_sp.cert saml-sp.cert
aml_sp.key saml-sp.key
aml_sp.xml saml-sp.xml

The sp-idp-metadata.xml must be supplied by your Identity Provider.

ecrets new httpd-saml-config-secret ./httpd-saml-config

Authentication certificate

This certifcate is used by the saml service provider pod to make a secure request to the Master. Using all the defaults a suitable file can be created as follows:

 create-api-client-config   --certificate-authority='/etc/origin/master/ca.crt' \
                            --client-dir='/etc/origin/master/' \
                            --signer-cert='/etc/origin/master/ca.crt' \
                            --signer-key='/etc/origin/master/ca.key' \
                            --signer-serial='/etc/origin/master/ca.serial.txt' \
                            --user='system:proxy'

r ./httpd-ose-certs
/etc/origin/master/system\:proxy.crt /etc/origin/master/system\:proxy.key > ./httpd-ose-certs/authproxy.pem
etc/origin/master/ca.crt httpd-ose-certs/ca.crt

Now create the secret:

ecrets new httpd-ose-certs-secret ./httpd-ose-certs

The saml service provider pod will itself expose a TLS endpoint. The OpenShift Router will use TLS passthrough to allow it to terminate the connection. For testing purposes a self-signed certificate may be used:

r ./httpd-server-certs

ke sure you input the saml service provider hostname for the Common Name
ssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out ./httpd-server-certs/server.key
ssl req -new -key ./httpd-server-certs/server.key -out /tmp/server.csr
ssl x509 -req -days 365 -in /tmp/server.csr -signkey ./httpd-server-certs/server.key -out ./httpd-server-certs/server.crt

Now create the secret:

ecrets new httpd-server-certs-secret ./httpd-server-certs

Optional: Create a secret for a custom CA (secret and cert names must be unique)

ecrets new my-ca-cert-secret ./my-ca.crt

Making changes to secrets

It's likely you will need to update the value of some secrets. To do this simply delete the secret and recreate it. Then trigger a new deployment.

elete secret <secret name>
ecrets new <secret name> <path>
ollout latest saml-auth

Deploying the image

Add saml-auth template to OSE - (required parameters: APPLICATION_DOMAIN, PROXY_PATH, PROXY_DESTINATION)

reate -f ./saml-auth.template -n openshift

Create a new application (test with '-o json', remove when satisfied with the result)

ew-app saml-auth \
-p APPLICATION_DOMAIN=sp.example.org -p PROXY_PATH=/oauth/ -p PROXY_DESTINATION=https://ose.example.com:8443/oauth/ -o json

Mounting the secrets

Mount the secret for the SAML configuration (saml-sp.cert,saml-sp.key,saml-sp.xml,sp-idp-metadata.xml)

olume deploymentconfigs/saml-auth \
 --add --overwrite --name=httpd-saml-config --mount-path=/etc/httpd/conf/saml \
 --type=secret --secret-name=httpd-saml-config-secret

Mount the secret for OSE certs (authproxy.pem,ca.crt)

olume deploymentconfigs/saml-auth \
 --add --overwrite --name=httpd-ose-certs --mount-path=/etc/httpd/conf/ose_certs \
 --type=secret --secret-name=httpd-ose-certs-secret

Mount the secret for server certs (server.crt,server.key)

olume deploymentconfigs/saml-auth \
 --add --overwrite --name=httpd-server-certs --mount-path=/etc/httpd/conf/server_certs \
 --type=secret --secret-name=httpd-server-certs-secret

Optional: Mount the secret for a custom CA cert (duplicate as required)

olume deploymentconfigs/saml-auth \
 --add --overwrite --name=my-ca-cert --mount-path=/etc/pki/ca-trust/source/anchors/my-ca.crt \
 --type=secret --secret-name=my-ca-cert-secret

The template defines replicas as 0. This pod can be scaled to multiple replicas for high availability.

cale --replicas=1 dc saml-auth

After that command runs you will likely see several deployments for each of the volumes that are mounted.

Master configuration changes.

Update /etc/origin/master/master-config.yaml:

hConfig:
setPublicURL: https://ose.example.com:8443/console/
antConfig:
method: auto
entityProviders:
name: saml
challenge: false
login: true
mappingMethod: add
provider:
  apiVersion: v1
  kind: RequestHeaderIdentityProvider
  loginURL: "https://sp.example.org/oauth/authorize?${query}"
  clientCA: /etc/origin/master/ca.crt
  headers:
  - Remote-User
sterCA: ca-bundle.crt


tConfig:
goutURL: "https://sp.example.org/mellon/logout?ReturnTo=https://sp.example.org/logged_out.html"

Restart the master(s) at this point for the configuration to take effect.

Making local modifications

ImageStream preparation

If building the image locally or pulling from another location it's helpful to create an ImageStream to simplify ongoing deployments. As the cluster-admin this can be accomplished as follows:

eate a project for hosting the images
ew-project openshift3

low all authenticated users to pull this image
 policy add-cluster-role-to-group system:image-puller system:authenticated -n openshift3

At this point you can either manually build the image or pull it from another location.

Manually building the docker image

Create the docker image

er build --tag=saml-service-provider .

Pushing the image to the internal docker registry

Since the builder service account has access to create ImageStreams in the openshift3 project we can use its token.

er login -u unused -e unused -p `oc sa get-token builder -n openshift3` 172.30.36.214:5000

nd the internal registry IP or use DNS. In this example 172.30.36.214 is
e internal registry.
et services | grep docker-registry
er tag <your.local.image/saml-service-provider> 172.30.36.214:5000/openshift3/saml-service-provider
er push 172.30.36.214:5000/openshift3/saml-service-provider

 this is your first time deploying the saml pod you will need to manually scale up
cale --replicas=1 dc saml-auth

This work is supported by the National Institutes of Health's National Center for Advancing Translational Sciences, Grant Number U24TR002306. This work is solely the responsibility of the creators and does not necessarily represent the official views of the National Institutes of Health.