Setting Up Groups for Single Sign-on Integration with an Existing LDAP Domain

To use single sign-on (SSO) in Metacloud with projects in an LDAP domain, you must create a SQL domain using the Dashboard specifically for the purpose of managing the groups that map to the groups in your Identity Provider, because groups cannot be created in an LDAP domain.

Note
You must understand the difference between a domain and a project:

  • Domain—A collection of projects and users that define administrative boundaries for managing Identity entities. A domain can represent an individual, company, or operator-owned space.
  • Project—A container that collects or isolates resources or identity objects. Depending on the service operator, a project might map to a customer, account, organization, or tenant.

See Using Identity Features for more information about working with Identity.

To provide access to your existing projects in the LDAP domain, you must create groups in your SQL domain using the Dashboard and then use the command-line interface to add groups in the SQL domain to projects in the LDAP domain.

To create a group using the Metacloud Dashboard:

  1. Log in to the primary Domain on the Dashboard.
  2. Select Admin, Groups to display the Groups page.
  3. Click Create Group to create a specific group for all users in your Identity Provider. The name of the group created in the Dashboard must match the group names configured in your IdP.

    Create Group Dialog

To map a group from your Metacloud Domain to your Identity Provider project in another domain using the command-line interface:

  1. Add a role to the project using the --group- and --group-domain parameters.

     openstack role add --group 
    <GROUP_NAME> --group-domain <GROUP_DOMAIN> --project 
    <PROJECT_NAME> --project-domain <PROJECT_DOMAIN> _member_
    
  2. Add the role to the Metacloud domain using the --group parameter.

    openstack role add --group 
    <GROUP_NAME> --group-domain <GROUP_DOMAIN> --domain <PROJECT_DOMAIN> _member_
    
  3. List the assignments for the group.

    openstack role assignment list —group 
    <GROUP_NAME> —group-domain <GROUP_DOMAIN>
    +---------------+-----------+--------------------+------------------+-------------------------+--------------+
    |  Role         | User      | Group              | Project          | Domain                  | Inherited    |
    +---------------+-----------+--------------------+------------------+-------------------------+--------------+
    |  <uuid_value> |           | <uuid_value>       | <uuid_value>     |                         | False        |
    |  <uuid_value> |           | <uuid_value>       | <uuid_value>     |                         | False        |
    |  <uuid_value> |           | <uuid_value>       |                  | <uuid_value>            | False        |
    +---------------+-----------+--------------------+------------------+-------------------------+--------------+
    
  4. Verify the UUIDs in the table output above map to the expected domain/project/role/group below.

    $ openstack domain show <DOMAIN_ID>
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------|
    | description | example LDAP domain              |
    | enabled     | True                             |
    | id          | <domain_id>                      |
    | name        | SSO Domain                       |
    +-------------+----------------------------------+
    
  5. Verify the Project ID.

    $ openstack project show <PROJECT_ID>
    +-------------+--------------------------------------+
    |  Field       | Value                               |
    +-------------+--------------------------------------+
    |  description | PROD-Server Team                    |
    |  domain_id   | <uuid_value>                        |
    |  enabled     | True                                |
    |  id          | <uuid_value>                        |
    |  is_domain   | False                               |
    |  name        | IT Teams                            |
    |  parent_id   | None                                |
    +-------------+--------------------------------------+
    
  6. Verify the Group.

    $ openstack group list --domain 
     +--------------+--------------------------------+
     | ID           | Name                           |
     +--------------+--------------------------------+
     | <uuid_value> | Metacloud_Admins               |
     | <uuid_value> | Metacloud_Users                |
     +--------------+--------------------------------+
    
  7. Verify which role has been added.

    $ openstack role list
    +------------------------+------------------+
    | ID                     | Name             |
    +------------------------+------------------+
    | <uuid_value>           | heat_stack_user  |
    | <uuid_value>           | admin            |
    | <uuid_value>           | heat_stack_owner |
    | <uuid_value>           | _member_         |
    +------------------------+------------------+