Hello,
this is a bit of a long shot but maybe some of you succesfully configured Openstack to use Keycloak as an Identity Provider so we can use Single Sign-On on Horizon.
To install and configure OpenStack Keystone I am using 'stable/xena' version of the
https://github.com/openstack/puppet-keystone . Likewise for Horizon. So far so good.
I would like to enable openid in Keystone so I can have Single Sign-On via Horizon.
I am pretty much following the official docs:
https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html with the help of the puppet module.
To do it I included the class:
include ::keystone::federation::openidc
And configured some hiera variables:
keystone::federation::openidc::keystone_url: "https://openstackdev.loadbalancer:5000"
keystone::federation::openidc::methods: 'password,token,oauth1,mapped,openid'
keystone::federation::openidc::idp_name: 'keycloak'
keystone::federation::openidc::openidc_provider_metadata_url: 'https://keycloak_server/auth/realms/BBP/.well-known/openid-configuration'
keystone::federation::openidc::openidc_client_id: 'a_keycloak_client'
keystone::federation::openidc::openidc_client_secret: <redacted>
keystone::federation::openidc::openidc_crypto_passphrase: <redacted>
keystone::federation::openidc::remote_id_attribute: 'HTTP_OIDC_ISS'
And this is the resulting relevant configuration in /etc/httpd/conf.d/10-keystone_wsgi.conf
[...]
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL "https://keycloak_server/auth/realms/BBP/.well-known/openid-configuration"
OIDCClientID "a_keycloak_client"
OIDCClientSecret
<redacted>
OIDCCryptoPassphrase
<redacted>
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso"
OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid"
<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect"
Require valid-user
</LocationMatch>
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso">
AuthType "openid-connect"
Require valid-user
</LocationMatch>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
But unfortunately this does not work. First of all, the OIDCRedirectURI the module set points to a valid URL with content.
So I manually changed them by:
OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso/redirect_url"
OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid/redirect_url"
And in:
/var/log/keystone/keystone.log
{"message": "Could not find Identity Provider: https://keycloak_server/auth/realms/BBP.",
"asctime": "2022-11-16 16:24:56", "name": "keystone.server.flask.application", "msg": "Could not find Identity Provider: https://keycloak_server/auth/realms/BBP.",
"args": [], "levelname": "WARNING", "levelno": 30, "pathname": "/usr/lib/python3.6/site-packages/keystone/server/flask/application.py", "filename": "application.py", "module": "application", "lineno": 87, "funcname": "_handle_keystone_exception", "created":
1668612296.6284614, "msecs": 628.4613609313965, "relative_created": 32117.148637771606, "thread": 140579135473408, "thread_name": "Dummy-1", "process_name": "MainProcess", "process": 3051629, "traceback": null, "hostname": "bbpcb030.bbp.epfl.ch", "error_summary":
"keystone.exception.IdentityProviderNotFound: Could not find Identity Provider: https://keycloak_server/auth/realms/BBP.", "context":
{"user_name": null, "project_name": null, "domain_name": null, "user_domain_name": null, "project_domain_name": null, "user": null, "tenant": null, "system_scope": null, "project": null, "domain": null, "user_domain": null, "project_domain": null, "is_admin":
false, "read_only": false, "show_deleted": false, "auth_token": null, "request_id": "req-5187f72d-cb4b-470f-9635-6c05565707eb", "global_request_id": null, "resource_uuid": null, "roles": [], "user_identity": "- - - - -", "is_admin_project": true}, "extra":
{"project": null, "version": "unknown"}}
And this is how I configured the identity provider, mapping and federation protocol.
# openstack identity provider show keycloak
+-------------------+-----------------------------------------+
| Field | Value |
+-------------------+-----------------------------------------+
| authorization_ttl | None |
| description | None |
| domain_id | 96a75a2b29b5411497a9971c14a2167c |
| enabled | True |
| id | keycloak |
| remote_ids | https://keycloak_server/auth/realms/BBP |
+-------------------+-----------------------------------------+
# openstack mapping show openid_mapping
+-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | openid_mapping |
| rules | [{'local': [{'user': {'name': '{0}'}, 'group': {'domain': {'name': 'Default'}, 'name': 'federated_users'}}], 'remote': [{'type': 'OIDC-preferred_username'}]}] |
+-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+
# openstack federation protocol show --identity-provider keycloak openid
+---------+----------------+
| Field | Value |
+---------+----------------+
| id | openid |
| mapping | openid_mapping |
+---------+----------------+
Can someone please give me a hand with this?
Thank you very much,
Daniel.