Add support of Keystone OIDC Federation
Some parameters are optional while some other ones are exlusive between each other.
keystone:
server:
auth_methods:
- password
- token
- saml2
- oidc
service_name: apache2
federation:
saml2:
protocol: saml2
remote_id_attribute: Shib-Identity-Provider
shib_url_scheme: https
shib_compat_valid_user: 'on'
oidc:
protocol: oidc
remote_id_attribute: HTTP_OIDC_ISS
remote_id_attribute_value: https://accounts.google.com
oidc_claim_prefix: "OIDC-"
oidc_response_type: id_token
oidc_scope: "openid email profile"
oidc_provider_metadata_url: https://accounts.google.com/.well-known/openid-configuration
oidc_client_id: <openid_client_id>
oidc_client_secret: <openid_client_secret>
oidc_crypto_passphrase: openstack
oidc_redirect_uri: https://key.example.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
oidc_oauth_introspection_endpoint: https://www.googleapis.com/oauth2/v1/tokeninfo
oidc_oauth_introspection_token_param_name: access_token
oidc_oauth_remote_user_claim: user_id
oidc_ssl_validate_server: 'off'
oidc_oauth_verify_shared_keys:
- type: plain
kid: example1
key: examplekeycontentplain
- type: hex
kid: example2
key: examplekeycontenthex
oidc_oauth_verify_cert_files:
- kid: example3
filename: /root/example3.crt
- kid: example4
filename: /root/example4.crt
federated_domain_name: Default
trusted_dashboard:
- https://${_param:cluster_public_host}/auth/websso/
Change-Id: Ib05b99ebf69b622da7e113f0bd0a5ed8037f5c6b
9 files changed