Frequently Asked Question

How to access the API when using SSO?
Last Updated 6 months ago

First, go to https://sso.massopen.cloud/auth/realms/moc/account and after logging in, go to the password tab and set a password. This will be used to bypass the University/GitHub login, and login directly from SSO.

Using the CLI

Create an .sh file with the following contents
#!/usr/bin/env bash
export OS_AUTH_URL="https://kaizen.massopen.cloud:13000/v3"
export OS_USERNAME=""
export OS_PROJECT_NAME=""
export OS_PROJECT_DOMAIN_NAME="Default"
echo "Please enter your SSO Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT
export OS_REGION_NAME="moc-kzn"
export OS_AUTH_TYPE="v3oidcpassword"
export OS_IDENTITY_PROVIDER="moc"
export OS_PROTOCOL="openid"
export OS_CLIENT_ID="kaizen-client"
export OS_CLIENT_SECRET="fac377a9-f2ba-41e7-bb7f-4064dd9f4468"
export OS_ACCESS_TOKEN_ENDPOINT="https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token"
export OS_DISCOVERY_ENDPOINT="https://sso.massopen.cloud/auth/realms/moc/.well-known/openid-configuration"
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3
Replace with your username and project name to use.

Now after installing the OpenStack Client, via pip using the following command, you can run openstack cli commands.
pip install python-openstackclient

Using Python

First, make sure that keystoneauth is installed.

pip install keystoneauth
After that you can authenticate with the following (filling in username, password and project_name):

from keystoneauth1 import identity
from keystoneauth1 import session

auth = identity.v3.oidc.OidcPassword(
    'https://kaizen.massopen.cloud:13000/v3',
    identity_provider='moc',
    protocol='openid',
    client_id='kaizen-client',
    client_secret='fac377a9-f2ba-41e7-bb7f-4064dd9f4468',
    access_token_endpoint='https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token',
    discovery_endpoint='https://sso.massopen.cloud/auth/realms/moc/.well-known/openid-configuration',
    username='',
    password='',
    project_name='',
    project_domain_name='Default'
)
s = session.Session(auth)
This session object can be used to instantiate the various clients, like python-novaclient or python-cinderclient.

Clouds.yaml

clouds:
  kaizen_oidc:
    auth:
      username: ""
      password: ""
      project_name: ""
      identity_provider: "moc"
      protocol: "openid"
      client_id: "kaizen-client"
      client_secret: "fac377a9-f2ba-41e7-bb7f-4064dd9f4468"
      access_token_endpoint: "https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token"
      discovery_endpoint: "https://sso.massopen.cloud/auth/realms/moc/.well-known/openid-configuration"
      auth_url: https://kaizen.massopen.cloud:13000/v3
      project_domain_name: "Default"
    region_name: "moc-kzn"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3oidcpassword"

Using Application Credentials

This is an alternative approach and doesn't require any of the steps specified above.

  1. Go to https://onboarding.massopen.cloud and log in with your account.
  2. Select the project you would like to create an application credential for in the dropdown, similar to how you switch projects in the Kaizen dashboard.
  3. Navigate to Identity > Application Credentials in the sidebar.
  4. Click Create Application Credential
  5. Specify a name, everything else is optional.
  6. After creation, you will be prompted to download an RC file or a clouds.yaml file which looks something like the one below:
kaizen:
    auth:
      auth_url: "https://kaizen.massopen.cloud:13000/v3"
      application_credential_id: ""
      application_credential_secret: ""
    region_name: "moc-kzn"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3applicationcredential"

Please Wait!

Please wait... it will take a second!