I've made a patch to correct this module name which it would be great if you could test and leave a comment if it's OK

https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/790018

Are you able to debug any further why the shib module is being enabled, maybe through using -vv on the openstack-ansible command to show the task parameters, or adding some debug tasks in os_keystone to show the values of keystone_sp_apache_mod_shib and keystone_sp_apache_mod_auth_openidc?

On 06/05/2021 09:17, Taltavull Jean-Francois wrote:

I forgot to mention: in Ubuntu 20.04, the apache shibboleth module is named "shib" and not "sib2". So, I had to supersede the variable
" keystone_apache_modules". If you don't do this, os-keystone playbook fails with " "Failed to set module shib2 to disabled:\n\nMaybe the module identifier (mod_shib) was guessed incorrectly.Consider setting the \"identifier\" option.", "rc": 1, "stderr": "ERROR: Module shib2 does not exist!\n"".

So, apache modules enabled are:
- shib
- auth_openidc
- proxy_uwsgi
- headers

-----Original Message-----
From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Sent: mercredi, 5 mai 2021 19:19
To: openstack-discuss@lists.openstack.org
Subject: Re: [openstack-ansible] Keystone federation with OpenID needs
shibboleth

Could you check which apache modules are enabled?

The set is defined in the code here
https://github.com/openstack/openstack-ansible-
os_keystone/blob/master/vars/ubuntu-20.04.yml#L85-L95

On 05/05/2021 17:41, Taltavull Jean-Francois wrote:

I've got keystone_sp.apache_mod = mod_auth_openidc