Extended websso parameters
- Allow LOGIN_REDIRECT_URL configuration
- Allow custom messages for WEBSSO_CHOICES
- Allow WEBSSO_IDP_MAPPING
Related-Bug: PROD-20122
Change-Id: Id336d42c5d4ead20d718bb28ade9a26c8bc1d573
diff --git a/README.rst b/README.rst
index afd5dce..1f90438 100644
--- a/README.rst
+++ b/README.rst
@@ -429,7 +429,9 @@
address: https://github.com/openstack/horizon.git
rev: stable/juno
-Enable WebSSO feature
+Enable WebSSO feature. Define a list of choices [supported choices: oidc, saml2], `credentials` choice will be automatically appended and choice description is predefined. DEPRECATED
+
+WebSSO with credentials and saml2
.. code-block:: yaml
@@ -439,10 +441,58 @@
websso:
login_url: "WEBROOT + 'auth/login/'"
logout_url: "WEBROOT + 'auth/logout/'"
+ login_redirect_url: "WEBROOT + 'project/'"
websso_choices:
- saml2
- - oidc
+Enable WebSSO feature. Define a map of choices in the following format: `{"<choice_name>": {"description": "<choice_description>"}`.
+
+WebSSO with saml2 and credentials
+
+.. code-block:: yaml
+
+ horizon:
+ server:
+ enabled: true
+ websso:
+ login_url: "WEBROOT + 'auth/login/'"
+ logout_url: "WEBROOT + 'auth/logout/'"
+ login_redirect_url: "WEBROOT + 'project/'"
+ websso_choices:
+ saml2:
+ description: "Security Assertion Markup Language"
+ credentials:
+ description: "Keystone Credentials"
+
+WebSSO with IDP mapping.
+
+.. code-block:: yaml
+
+ horizon:
+ server:
+ enabled: true
+ websso:
+ login_url: "WEBROOT + 'auth/login/'"
+ logout_url: "WEBROOT + 'auth/logout/'"
+ login_redirect_url: "WEBROOT + 'project/'"
+ websso_choices:
+ credentials:
+ description: "Keystone Credentials"
+ saml2:
+ description: "Security Assertion Markup Language"
+ oidc:
+ description: "OpenID Connect"
+ myidp_oidc:
+ description: "Acme Corporation - OpenID Connect"
+ myidp_saml2:
+ description: "Acme Corporation - SAML2"
+ idp_mapping:
+ myidp_oidc:
+ id: myidp
+ protocol: oidc
+ myidp_saml2:
+ id: myidp
+ protocol: saml2
More Information
================
diff --git a/horizon/files/horizon_settings/_websso_settings.py b/horizon/files/horizon_settings/_websso_settings.py
index 3baff8c..7864d9d 100644
--- a/horizon/files/horizon_settings/_websso_settings.py
+++ b/horizon/files/horizon_settings/_websso_settings.py
@@ -8,17 +8,38 @@
LOGOUT_URL = {{ server.websso.logout_url }}
{%- endif %}
+{%- if server.websso.login_redirect_url is defined %}
+LOGIN_REDIRECT_URL = {{ server.websso.login_redirect_url }}
+{%- endif %}
+
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (
+{%- if server.websso.websso_choices is mapping %}
+ {%- for choice_name, choice in server.websso.websso_choices.iteritems() %}
+ ("{{ choice_name }}", _("{{ choice.get('description') }}")),
+ {%- endfor %}
+{%- else %}
("credentials", _("Keystone Credentials")),
- {%- if 'oidc' in server.websso.websso_choices %}
+ {%- for choice in server.websso.websso_choices %}
+ {%- if 'oidc' in choice %}
("oidc", _("OpenID Connect")),
{%- endif %}
- {%- if 'saml2' in server.websso.websso_choices %}
+ {%- if 'saml2' in choice %}
("saml2", _("Security Assertion Markup Language")),
{%- endif %}
+ {%- endfor %}
+{%- endif %}
)
WEBSSO_INITIAL_CHOICE = "{{ server.websso.get('websso_initial_choice', 'credentials') }}"
+
+{%- if server.websso.idp_mapping is defined %}
+WEBSSO_IDP_MAPPING = {
+{%- for idp_name, idp in server.websso.idp_mapping.iteritems() %}
+ "{{ idp_name }}": ("{{ idp.get('id') }}", "{{ idp.get('protocol') }}"),
+{%- endfor %}
+}
+{%- endif %}
+
{%- endif %}
diff --git a/tests/pillar/cluster.sls b/tests/pillar/cluster.sls
index 1f640cd..83c34ca 100644
--- a/tests/pillar/cluster.sls
+++ b/tests/pillar/cluster.sls
@@ -35,9 +35,17 @@
websso:
login_url: "WEBROOT + 'auth/login/'"
logout_url: "WEBROOT + 'auth/logout/'"
+ login_redirect_url: "WEBROOT + 'project/'"
websso_choices:
- - saml2
- oidc
+ - saml2
+ idp_mapping:
+ myidp_openid:
+ id: myidp
+ protocol: openid
+ myipd_mapped:
+ id: myidp
+ protocol: mapped
horizon_config:
password_autocomplete: off
openstack_neutron_network:
diff --git a/tests/pillar/single.sls b/tests/pillar/single.sls
index 0dbc3cb..5b8f20b 100644
--- a/tests/pillar/single.sls
+++ b/tests/pillar/single.sls
@@ -33,9 +33,21 @@
websso:
login_url: "WEBROOT + 'auth/login/'"
logout_url: "WEBROOT + 'auth/logout/'"
+ login_redirect_url: "WEBROOT + 'project/'"
websso_choices:
- - saml2
- - oidc
+ credentials:
+ description: "Keystone Credentials"
+ oidc:
+ description: "OpenID Connect"
+ saml2:
+ description: "Security Assertion Markup Language"
+ idp_mapping:
+ myidp_openid:
+ id: myidp
+ protocol: openid
+ myipd_mapped:
+ id: myidp
+ protocol: mapped
horizon_config:
password_autocomplete: off
openstack_neutron_network: