Hi Jonathan, I cherry-picked the patch on the os_keystone role installed by OSA 21.2.2 and it works. Thanks ! Jean-Francois
-----Original Message----- From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> Sent: mercredi, 3 février 2021 19:27 To: openstack-discuss@lists.openstack.org Subject: Re: [KEYSTONE][FEDERATION] Groups mapping problem when using keycloak as IDP
Hi Jean-Francois,
I made a patch to the openstack-ansible keystone role which will hopefully address this. It would be really helpful if you are able to test the patch and provide some feedback.
https://review.opendev.org/c/openstack/openstack-ansible- os_keystone/+/773978
Regards, Jonathan.
Hello,
Actually, the solution is to add this line to Apache configuration: OIDCClaimDelimiter ";"
The problem is that this configuration variable does not exist in OSA keystone role and its apache configuration template (https://opendev.org/openstack/openstack-ansible- os_keystone/src/branch/master/templates/keystone-httpd.conf.j2).
Jean-Francois
-----Original Message----- From: Taltavull Jean-Francois Sent: lundi, 1 février 2021 14:44 To: openstack-discuss@lists.openstack.org Subject: [KEYSTONE][FEDERATION] Groups mapping problem when using keycloak as IDP
Hello,
In order to implement identity federation, I've deployed (with OSA) keystone (Ussuri) as Service Provider and Keycloak as IDP.
As one can read at [1], "groups" can have multiple values and each value must be separated by a ";"
But, in the OpenID token sent by keycloak, groups are represented with a JSON list and keystone fails to parse it well (only the first group of the
On 03/02/2021 10:03, Taltavull Jean-Francois wrote: list is mapped).
Have any of you already faced this problem ?
Thanks !
Jean-François
[1] https://docs.openstack.org/keystone/ussuri/admin/federation/mapping_c ombi nations.html