[KEYSTONE][FEDERATION] Groups mapping problem when using keycloak as IDP

Jonathan Rosser jonathan.rosser at rd.bbc.co.uk
Wed Feb 3 18:27:12 UTC 2021


Hi Jean-Francois,

I made a patch to the openstack-ansible keystone role which will 
hopefully address this. It would be really helpful if you are able to 
test the patch and provide some feedback.

https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/773978

Regards,
Jonathan.

On 03/02/2021 10:03, Taltavull Jean-Francois wrote:
> Hello,
>
> Actually, the solution is to add this line to Apache configuration:
> OIDCClaimDelimiter ";"
>
> The problem is that this configuration variable does not exist in OSA keystone role and its apache configuration template (https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/templates/keystone-httpd.conf.j2).
>
>
> Jean-Francois
>
>> -----Original Message-----
>> From: Taltavull Jean-Francois
>> Sent: lundi, 1 février 2021 14:44
>> To: openstack-discuss at lists.openstack.org
>> Subject: [KEYSTONE][FEDERATION] Groups mapping problem when using
>> keycloak as IDP
>>
>> Hello,
>>
>> In order to implement identity federation, I've deployed (with OSA) keystone
>> (Ussuri) as Service Provider and Keycloak as IDP.
>>
>> As one can read at [1], "groups" can have multiple values and each value must
>> be separated by a ";"
>>
>> But, in the OpenID token sent by keycloak, groups are represented with a JSON
>> list and keystone fails to parse it well (only the first group of the list is mapped).
>>
>> Have any of you already faced this problem ?
>>
>> Thanks !
>>
>> Jean-François
>>
>> [1]
>> https://docs.openstack.org/keystone/ussuri/admin/federation/mapping_combi
>> nations.html
>



More information about the openstack-discuss mailing list