Home OpenStack-Ansible Installation Guide

Configure Identity Service (keystone) as a federated identity providerΒΆ

The identity provider (IdP) configuration for Keystone must be provided in a dictionary attribute with the key keystone_idp. The following is a complete example:

keystone_idp:
  certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
  keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
  self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
  regen_cert: false
  idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
  idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
  idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
  service_providers:
    - id: "sp_1"
      auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
      sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
  organization_name: example_company
  organization_display_name: Example Corp.
  organization_url: example.com
  contact_company: example_company
  contact_name: John
  contact_surname: Smith
  contact_email: jsmith@example.com
  contact_telephone: 555-55-5555
  contact_type: technical

The following list is a reference of all the allowed settings:

  • certfile defines the location and filename of the SSL certificate that the IdP uses to sign assertions. This file must be in a location that is accessible to the keystone system user.
  • keyfile defines the location and filename of the SSL private key that the IdP uses to sign assertions. This file must be in a location that is accessible to the keystone system user.
  • self_signed_cert_subject is the subject used in the SSL signing certificate. It is important to note that the common name of the certificate must match the hostname that is configured in the service provider(s) for this IdP.
  • regen_cert should normally be set to False. When set to True, the existing signing certificate will be replaced with a new one. This setting is added as a convenience mechanism to renew a certificate when it is close to its expiration date.
  • idp_entity_id is the entity ID. The service providers will use this as a unique identifier for each IdP. The recommended value for this setting is <keystone-public-endpoint>/OS-FEDERATION/saml2/idp
  • idp_sso_endpoint is the single sign-on endpoint for this IdP. The recommended value for this setting is <keystone-public-endpoint>/OS-FEDERATION/saml2/sso>
  • idp_metadata_path is the location and filename where the metadata for this IdP will be cached. The keystone system user must have access to this location.
  • service_providers is a list of the known service providers that will be using this keystone instance as identity provider. For each SP there are three values that need to be provided: id is a unique identifier, auth_url is the authentication endpoint of the SP, and sp_url is the endpoint where SAML2 assertions need to be posted.
  • organization_name, organization_display_name, organization_url, contact_company, contact_name, contact_surname, contact_email, contact_telephone and contact_type are all settings that describe the identity provider. These settings are all optional.

Previous topic

Configure Identity Service (keystone) as a federated service provider

Next topic

Configure Active Directory Federation Services (ADFS) 3.0 as an identity provider

Project Source

This Page