Home OpenStack-Ansible Installation Guide

Configure Identity service (keystone) as a federated identity providerΒΆ

The Identity Provider (IdP) configuration for keystone provides a dictionary attribute with the key keystone_idp. The following is a complete example:

keystone_idp:
  certfile: "/etc/keystone/ssl/idp_signing_cert.pem"
  keyfile: "/etc/keystone/ssl/idp_signing_key.pem"
  self_signed_cert_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}"
  regen_cert: false
  idp_entity_id: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/idp"
  idp_sso_endpoint: "{{ keystone_service_publicurl_v3 }}/OS-FEDERATION/saml2/sso"
  idp_metadata_path: /etc/keystone/saml2_idp_metadata.xml
  service_providers:
    - id: "sp_1"
      auth_url: https://example.com:5000/v3/OS-FEDERATION/identity_providers/idp/protocols/saml2/auth
      sp_url: https://example.com:5000/Shibboleth.sso/SAML2/ECP
  organization_name: example_company
  organization_display_name: Example Corp.
  organization_url: example.com
  contact_company: example_company
  contact_name: John
  contact_surname: Smith
  contact_email: jsmith@example.com
  contact_telephone: 555-55-5555
  contact_type: technical

The following list is a reference of allowed settings:

  • certfile defines the location and filename of the SSL certificate that the IdP uses to sign assertions. This file must be in a location that is accessible to the keystone system user.
  • keyfile defines the location and filename of the SSL private key that the IdP uses to sign assertions. This file must be in a location that is accessible to the keystone system user.
  • self_signed_cert_subject is the subject in the SSL signing certificate. The common name of the certificate must match the hostname configuration in the service provider(s) for this IdP.
  • regen_cert by default is set to False. When set to True, the next Ansible run replaces the existing signing certificate with a new one. This setting is added as a convenience mechanism to renew a certificate when it is close to its expiration date.
  • idp_entity_id is the entity ID. The service providers use this as a unique identifier for each IdP. <keystone-public-endpoint>/OS-FEDERATION/saml2/idp is the value we recommend for this setting.
  • idp_sso_endpoint is the single sign-on endpoint for this IdP. <keystone-public-endpoint>/OS-FEDERATION/saml2/sso> is the value we recommend for this setting.
  • idp_metadata_path is the location and filename where the metadata for this IdP is cached. The keystone system user must have access to this location.
  • service_providers is a list of the known service providers (SP) that use the keystone instance as identity provider. For each SP, provide three values: id as a unique identifier, auth_url as the authentication endpoint of the SP, and sp_url endpoint for posting SAML2 assertions.
  • organization_name, organization_display_name, organization_url, contact_company, contact_name, contact_surname, contact_email, contact_telephone and contact_type are settings that describe the identity provider. These settings are all optional.

Previous topic

Configure Identity Service (keystone) as a federated service provider

Next topic

Configuring Active Directory Federation Services (ADFS) 3.0 as an identity provider

Project Source

This Page