A Federated Keystone Identity Server

Introduction

The Information Systems and Security Group has developed a version of the Openstack Keystone Identity Server which supports federation. This demo shows how a user from a remote Keystone Server or an external SAML Identity Provider can use their existing credentials to access resources protected by the federated server. The Federated Keystone Server protects a Swift Object Storage Service and allows users from a remote Identity Provider to access the resources provided by Swift. In this demo, the SAML IdP is actually a proxy that supports multiple external IdPs running a variety of protocols. So for example, it supports OpenID, Google and LDAPv3 servers as well as SAML IdPs.

Preparing to run the Demo

The Openstack Swift client requires that you have already installed Python 2.7 or higher. Please visit the python website and download the appropriate python installer or source package.

Windows only

When installing Python under a Windows operating system, it is sometimes the case that the PATH variable (where Windows searches for executable programs) is not correctly set. When this happens you will receive the following error: 'python' is not recognised as an internal or external command, operable program or batch file. This can be fixed by adding your Python installation directory to your PATH variable. When running the demo you may also need to append 'python' to the swift command and ensure that you have navigated to the correct directory in your command prompt. The correct directory should contain the 'swift' script and is installed by default to the 'Scripts' directory of your Python installation.

Running the Demo

In order to run the Federated Keystone demo, you will need to install a modified version of the Openstack Swift client.

Download the client here (click the Download Zip button which you will see about halfway down the page on the right hand side).
Unzip the file
From a command line prompt, navigate to the unzipped folder and run: python setup.py install

To use the demo, you must make a request for access to the swift service specifying the Federated Keystone Server as the Authentication URL, an example of a request might look like:

swift -F -A http://fedkeystone.sec.cs.kent.ac.uk:5000/v2.0 list

1 Command to run the swift client
2 -F flag denotes that federated authentication is required
3 -A flag denotes that the following URL at which the authentication server is running
4 The URL of the ISSRG Federated Keystone Server
5 The command that you wish to use with the Object Storage Server (Swift). You can type swift --help for a list of available commands

Note: The above is an image, the following code snippet is selectable so you can copy and paste the command easily.

swift -F -A http://fedkeystone.sec.cs.kent.ac.uk:5000/v2.0 list

The basic demo offers two different authentication sources:

Kent Keystone Identity Service - A standard Keystone Server, you can use either of the following sets of credentials to authenticate:

Username Password
Guest password
SecretGuest password
Kent Proxy Identity Server - This is a SAML based authentication server which allows authentication using University of Kent login, Facebook, OpenID and Google

Moonshot Enabled Client

The Moonshot enabled demo allows you to authenticate using the Moonshot protocol, supported by the Moonshot Identity Selector. The Selector is only available on Ubuntu 13.04 or more recent and Debian Wheezy. Other Linux based operating systems may also work with the selector but this has not yet been tested.

Before installing the OpenStack Swift Client, if you don't have the Moonshot Identity Selector https://community.ja.net/groups/moonshot installed on your distribution follow these instructions:

Installing the Moonshot client

Add the moonshot repository to your repository sources:
echo "deb http://repository.project-moonshot.org/debian-moonshot sid main" > /etc/apt/sources.list.d/moonshot.list
wget -O - http://repository.project-moonshot.org/key.gpg | apt-key add -
apt-get update
Install the moonshot identity selector and dependencies:
apt-get install moonshot-ui moonshot-gss-eap
Add the mechanisms:
mkdir -p /usr/etc/gss
cat > /usr/etc/gss/mech <<EOF
eap-aes128 1.3.6.1.5.5.15.1.1.17 mech_eap.so
eap-aes256 1.3.6.1.5.5.15.1.1.18 mech_eap.so
EOF

Installing the Openstack Swift client

Download the Moonshot enabled client from here
Install the dependencies:
apt-get install python-pip python-dev libkrb5-dev
Run the python setup.py:
pip install -r tools/pip-requires && python setup.py install

Authenticating with Moonshot

The following demo identities can be used to authenticate with Moonshot:

Display Name	Issuer	Username	Password
george@moonshot.sec.cs.kent.ac.uk	moonshot.sec.cs.kent.ac.uk	george	password
bryan@moonshot.sec.cs.kent.ac.uk	moonshot.sec.cs.kent.ac.uk	bryan	password

Please note: Any data uploaded to the Object Storage service on this demonstration may be removed at any time through routine maintenance - this is not a persistent storage service and is for demonstration purposes only.