A Federated Keystone Identity Server

Introduction

The Information Systems and Security Group has developed a version of the Openstack Keystone Identity Server which supports federation. This demo shows how a user from a remote Keystone Server or an external SAML Identity Provider can use their existing credentials to access resources protected by the federated server. The Federated Keystone Server protects a Swift Object Storage Service and allows users from a remote Identity Provider to access the resources provided by Swift. In this demo, the SAML IdP is actually a proxy that supports multiple external IdPs running a variety of protocols. So for example, it supports OpenID, Google and LDAPv3 servers as well as SAML IdPs.

Preparing to run the Demo

The Openstack Swift client requires that you have already installed Python 2.7 or higher. Please visit the python website and download the appropriate python installer or source package.

Windows only

When installing Python under a Windows operating system, it is sometimes the case that the PATH variable (where Windows searches for executable programs) is not correctly set. When this happens you will receive the following error: 'python' is not recognised as an internal or external command, operable program or batch file. This can be fixed by adding your Python installation directory to your PATH variable. When running the demo you may also need to append 'python' to the swift command and ensure that you have navigated to the correct directory in your command prompt. The correct directory should contain the 'swift' script and is installed by default to the 'Scripts' directory of your Python installation.

Running the Demo

In order to run the Federated Keystone demo, you will need to install a modified version of the Openstack Swift client.

To use the demo, you must make a request for access to the swift service specifying the Federated Keystone Server as the Authentication URL, an example of a request might look like:

swift -F -A http://fedkeystone.sec.cs.kent.ac.uk:5000/v2.0 list

Note: The above is an image, the following code snippet is selectable so you can copy and paste the command easily.

swift -F -A http://fedkeystone.sec.cs.kent.ac.uk:5000/v2.0 list

The basic demo offers two different authentication sources:

Moonshot Enabled Client

The Moonshot enabled demo allows you to authenticate using the Moonshot protocol, supported by the Moonshot Identity Selector. The Selector is only available on Ubuntu 13.04 or more recent and Debian Wheezy. Other Linux based operating systems may also work with the selector but this has not yet been tested.

Before installing the OpenStack Swift Client, if you don't have the Moonshot Identity Selector https://community.ja.net/groups/moonshot installed on your distribution follow these instructions:

Installing the Moonshot client

Installing the Openstack Swift client

Authenticating with Moonshot

The following demo identities can be used to authenticate with Moonshot:

Display NameIssuerUsernamePassword
george@moonshot.sec.cs.kent.ac.ukmoonshot.sec.cs.kent.ac.ukgeorgepassword
bryan@moonshot.sec.cs.kent.ac.ukmoonshot.sec.cs.kent.ac.ukbryanpassword
Please note: Any data uploaded to the Object Storage service on this demonstration may be removed at any time through routine maintenance - this is not a persistent storage service and is for demonstration purposes only.