From a7080fdfa2fa437fa5058d41d32f173c6e966f64 Mon Sep 17 00:00:00 2001
From: Miguel Grinberg <miguelgrinberg50@gmail.com>
Date: Thu, 18 Jun 2015 19:06:56 -0700
Subject: [PATCH] Keystone Federation Service Provider Configuration

This patch adds the ability to configure Keystone as a Service
Provider (SP) for a Federated Identity Provider (IdP).

* New variables to configure Keystone as a service provider are now
  supported under a root `keystone_sp` variable. Example configurations
  can be seen in Keystone's defaults file. This configuration includes
  the list of identity providers and trusted dashboards. (At this time
  only one identity provider is supported).

* Identity provider configuration includes the remote-to-local user
  mapping and the list of remote attributes the SP can obtain from the
  IdP.

* Shibboleth is installed and configured in the Keystone containers when
  SP configuration is present.

* Horizon is configured for SSO login

DocImpact
UpgradeImpact
Implements: blueprint keystone-federation
Change-Id: I78b3d740434ea4b3ca0bd9f144e4a07026be23c6
Co-Authored-By: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
---
 templates/horizon_local_settings.py.j2 | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/templates/horizon_local_settings.py.j2 b/templates/horizon_local_settings.py.j2
index 814c4a38..17ec3c1d 100644
--- a/templates/horizon_local_settings.py.j2
+++ b/templates/horizon_local_settings.py.j2
@@ -170,21 +170,27 @@ OPENSTACK_KEYSTONE_URL = "{{ horizon_keystone_endpoint }}"
 
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
 
-# Enables keystone web single-sign-on if set to True.
-#WEBSSO_ENABLED = False
+{% if keystone_sp is defined %}
+# Enables keystone web single-sign-on
+WEBSSO_ENABLED = True
 
 # Determines which authentication choice to show as default.
-#WEBSSO_INITIAL_CHOICE = "credentials"
+WEBSSO_INITIAL_CHOICE = "credentials"
 
 # The list of authentication mechanisms
 # which include keystone federation protocols.
 # Current supported protocol IDs are 'saml2' and 'oidc'
 # which represent SAML 2.0, OpenID Connect respectively.
 # Do not remove the mandatory credentials mechanism.
-#WEBSSO_CHOICES = (
-#    ("credentials", _("Keystone Credentials")),
-#    ("oidc", _("OpenID Connect")),
-#    ("saml2", _("Security Assertion Markup Language")))
+WEBSSO_CHOICES = (
+    ("credentials", _("Keystone Credentials")),
+{% for idp in keystone_sp.trusted_idp_list %}
+{% for protocol in idp.protocols %}
+    ("{{ protocol.name }}", _("{{ idp.name }}")){% if not loop.last %},{% endif %}
+{% endfor %}
+{% endfor %}
+)
+{% endif %}
 
 # Disable SSL certificate checks (useful for self-signed certificates):
 OPENSTACK_SSL_NO_VERIFY = {{ horizon_ssl_no_verify | bool }}