[openstack-ansible] Keystone federation with OpenID needs shibboleth

Taltavull Jean-Francois jean-francois.taltavull at elca.ch
Wed May 5 16:41:42 UTC 2021


I've got keystone_sp.apache_mod = mod_auth_openidc


> -----Original Message-----
> From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk>
> Sent: mercredi, 5 mai 2021 17:57
> To: openstack-discuss at lists.openstack.org
> Subject: Re: [openstack-ansible] Keystone federation with OpenID needs
> shibboleth
> 
> Hi Jean-Francois,
> 
> I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
> 
> On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2 can't
> be co-installed as they require conflicting versions of libcurl - see the
> workaround here
> https://github.com/openstack/openstack-ansible-
> os_keystone/blob/master/vars/debian.yml#L58-L61
> 
> For Ubuntu 20.04 these packages are co-installable so whenever keystone is
> configured to be a SP both are installed, as here
> https://github.com/openstack/openstack-ansible-
> os_keystone/blob/master/vars/ubuntu-20.04.yml#L58-L60
> 
> A starting point would be checking what you've got keystone_sp.apache_mod
> set to in your config, as this drives how the apache config is constructed, here
> https://github.com/openstack/openstack-ansible-
> os_keystone/blob/master/tasks/main.yml#L51-L68
> 
> In particular, if keystone_sp.apache_mod is undefined in your config, the
> defaults assume mod_shib is required.
> 
> You can also join us in the IRC channel #openstack-ansible we can debug further.
> 
> Regards
> Jonathan.
> 
> On 05/05/2021 16:26, Taltavull Jean-Francois wrote:
> > Hi All,
> >
> > I'm trying to make keystone federation with openid connect work on an
> Ubuntu 20.04 + Victoria cloud deployed with OSA.
> >
> > Despite the fact that I use openid, shibboleth seems to be involved and I had to
> add "ShibCompatValidUser On" directive to the file "/etc/apache2/conf-
> available/shib.conf", by hand in the keystone lxc container, in order to
> successfully authenticate ("valid user: granted" an not "valid user: denied" in
> apache log file).
> >
> > Has anyone already experienced this use case ?
> >
> > Thanks and best regards,
> > Jean-Francois
> >
> >
> >
> >



More information about the openstack-discuss mailing list