I've got keystone_sp.apache_mod = mod_auth_openidc
-----Original Message----- From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> Sent: mercredi, 5 mai 2021 17:57 To: openstack-discuss@lists.openstack.org Subject: Re: [openstack-ansible] Keystone federation with OpenID needs shibboleth
Hi Jean-Francois,
I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2 can't be co-installed as they require conflicting versions of libcurl - see the workaround here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/debian.yml#L58-L61
For Ubuntu 20.04 these packages are co-installable so whenever keystone is configured to be a SP both are installed, as here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/vars/ubuntu-20.04.yml#L58-L60
A starting point would be checking what you've got keystone_sp.apache_mod set to in your config, as this drives how the apache config is constructed, here https://github.com/openstack/openstack-ansible- os_keystone/blob/master/tasks/main.yml#L51-L68
In particular, if keystone_sp.apache_mod is undefined in your config, the defaults assume mod_shib is required.
You can also join us in the IRC channel #openstack-ansible we can debug further.
Regards Jonathan.
On 05/05/2021 16:26, Taltavull Jean-Francois wrote:
Hi All,
I'm trying to make keystone federation with openid connect work on an Ubuntu 20.04 + Victoria cloud deployed with OSA.
Despite the fact that I use openid, shibboleth seems to be involved and I had to add "ShibCompatValidUser On" directive to the file "/etc/apache2/conf- available/shib.conf", by hand in the keystone lxc container, in order to successfully authenticate ("valid user: granted" an not "valid user: denied" in apache log file).
Has anyone already experienced this use case ?
Thanks and best regards, Jean-Francois