Hello, Actually, the solution is to add this line to Apache configuration: OIDCClaimDelimiter ";" The problem is that this configuration variable does not exist in OSA keystone role and its apache configuration template (https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/maste...). Jean-Francois
-----Original Message----- From: Taltavull Jean-Francois Sent: lundi, 1 février 2021 14:44 To: openstack-discuss@lists.openstack.org Subject: [KEYSTONE][FEDERATION] Groups mapping problem when using keycloak as IDP
Hello,
In order to implement identity federation, I've deployed (with OSA) keystone (Ussuri) as Service Provider and Keycloak as IDP.
As one can read at [1], "groups" can have multiple values and each value must be separated by a ";"
But, in the OpenID token sent by keycloak, groups are represented with a JSON list and keystone fails to parse it well (only the first group of the list is mapped).
Have any of you already faced this problem ?
Thanks !
Jean-François
[1] https://docs.openstack.org/keystone/ussuri/admin/federation/mapping_combi nations.html