Horizon should use idp.wikimedia.org for the log-in interface instead of direct LDAP authentication.
This is likely much more complex than the same thing in Striker since it needs to interface with Keystone properly, and also unlike Striker this is blocked on T359552: Enable self-service IDP two-factor authentication management and the migration of existing 2FA credentials from Wikitech to IDP.
https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T189531 All Wikimedia developer services should use single sign-on | |||
| Resolved | Feature | Andrew | T359590 Use IDP for authentication in Horizon | ||
| Open | Feature | SLyngshede-WMF | T359552 Enable self-service IDP two-factor authentication management |
Some doc links:
https://docs.openstack.org/keystone/pike/advanced-topics/federation/openidc.html
https://platform9.com/blog/openstack-keystone-single-sign-on/
This all seems reasonably possible, but also it all relies on keystone being hosted by apache which it currently is not. When we last hosted keystone with apache it worked poorly, but that was years ago so I'll see if I can revive that as prerequisite to the rest of this.
Change #1067461 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] Keystone+apache 2gether again
Change #1068000 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] Add apache to codfw1dev cloudcontrols
Change #1068000 merged by Andrew Bogott:
[operations/puppet@production] Add apache to codfw1dev cloudcontrols
Change #1068014 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone/apache.conf: fix listen ports
Change #1068014 merged by Andrew Bogott:
[operations/puppet@production] keystone/apache.conf: fix listen ports
Change #1067461 merged by Andrew Bogott:
[operations/puppet@production] Keystone and Apache, 2gether again
Change #1068066 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone service module: replace https-socket with uwsgi-socket
Change #1068066 merged by Andrew Bogott:
[operations/puppet@production] keystone service module: replace https-socket with uwsgi-socket
Change #1068260 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone::apache: include auth_openidc
Change #1068260 merged by Andrew Bogott:
[operations/puppet@production] keystone::apache: include auth_openidc
Change #1068876 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone::apache: install mod_auth_openidc package
Change #1068876 merged by Andrew Bogott:
[operations/puppet@production] keystone::apache: install mod_auth_openidc package
Change #1068877 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone + oidc
Change #1069279 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] Keystone: make codfw1dev keystone APIs public
Change #1069279 merged by Andrew Bogott:
[operations/puppet@production] Keystone: make codfw1dev keystone APIs public
Change #1070031 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] Horizon: enable OIDC auth
Change #1068877 merged by Andrew Bogott:
[operations/puppet@production] keystone + oidc
Change #1070238 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone/apache: fix OIDCRedirectURI setting
Change #1070238 merged by Andrew Bogott:
[operations/puppet@production] keystone/apache: fix OIDC settings
Change #1070267 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone/apache: fix OIDC settings again!
Change #1070267 merged by Andrew Bogott:
[operations/puppet@production] keystone/apache: fix OIDC settings again!
Change #1070356 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] Horizon config: set SECURE_PROXY_SSL_HEADER
Change #1070356 merged by Andrew Bogott:
[operations/puppet@production] Horizon config: set SECURE_PROXY_SSL_HEADER
Change #1070643 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] Add some inline comments explaining about keystone resources
Change #1070643 merged by Andrew Bogott:
[operations/puppet@production] Add some inline comments explaining about keystone resources
Change #1070945 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] cloudweb: remove override of profile::idp::server_name
Change #1070945 merged by Andrew Bogott:
[operations/puppet@production] cloudweb: correct override of profile::idp::server_name
Change #1070031 merged by Andrew Bogott:
[operations/puppet@production] Horizon: enable OIDC auth
Change #1082239 had a related patch set uploaded (by Majavah; author: Majavah):
[operations/puppet@production] openstack: Remove OATHAuth 2FA (wmtotp) support
Change #1082239 merged by Andrew Bogott:
[operations/puppet@production] openstack: Remove OATHAuth 2FA (wmtotp) support
Change #1213534 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):
[operations/puppet@production] keystone.conf: remove one last ref to wmtotp
Change #1213534 merged by Andrew Bogott:
[operations/puppet@production] keystone.conf: remove one last ref to wmtotp