Hello, this is a bit of a long shot but maybe some of you succesfully configured Openstack to use Keycloak as an Identity Provider so we can use Single Sign-On on Horizon. To install and configure OpenStack Keystone I am using 'stable/xena' version of the https://github.com/openstack/puppet-keystone . Likewise for Horizon. So far so good. I would like to enable openid in Keystone so I can have Single Sign-On via Horizon. I am pretty much following the official docs: https://docs.openstack.org/keystone/latest/admin/federation/configure_federa... with the help of the puppet module. To do it I included the class: include ::keystone::federation::openidc And configured some hiera variables: keystone::federation::openidc::keystone_url: "https://openstackdev.loadbalancer:5000" keystone::federation::openidc::methods: 'password,token,oauth1,mapped,openid' keystone::federation::openidc::idp_name: 'keycloak' keystone::federation::openidc::openidc_provider_metadata_url: 'https://keycloak_server/auth/realms/BBP/.well-known/openid-configuration' keystone::federation::openidc::openidc_client_id: 'a_keycloak_client' keystone::federation::openidc::openidc_client_secret: <redacted> keystone::federation::openidc::openidc_crypto_passphrase: <redacted> keystone::federation::openidc::remote_id_attribute: 'HTTP_OIDC_ISS' And this is the resulting relevant configuration in /etc/httpd/conf.d/10-keystone_wsgi.conf [...] OIDCClaimPrefix "OIDC-" OIDCResponseType "id_token" OIDCScope "openid email profile" OIDCProviderMetadataURL "https://keycloak_server/auth/realms/BBP/.well-known/openid-configuration" OIDCClientID "a_keycloak_client" OIDCClientSecret <redacted> OIDCCryptoPassphrase <redacted> # The following directives are necessary to support websso from Horizon # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.h...) OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/identity_provid..." OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid" <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid"> AuthType "openid-connect" Require valid-user </LocationMatch> <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso"> AuthType "openid-connect" Require valid-user </LocationMatch> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ But unfortunately this does not work. First of all, the OIDCRedirectURI the module set points to a valid URL with content. So I manually changed them by: OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/identity_provid..." OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid/r..." After changing that now I get redirected to the Keycloak login page and I am able to enter my username and pass, after the login is done I get redirected to: https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://<https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://openstackdev./dashboard/auth/websso/>openstackdev.loadbalancer<https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://openstackdev./dashboard/auth/websso/>/dashboard/auth/websso/ and it shows the following error: error code 404 message "Could not find Identity Provider: https://keycloak_server/auth/realms/BBP<https://bbpauth.epfl.ch/auth/realms/BBP>." title "Not Found" And in: /var/log/keystone/keystone.log {"message": "Could not find Identity Provider: https://keycloak_server/auth/realms/BBP.", "asctime": "2022-11-16 16:24:56", "name": "keystone.server.flask.application", "msg": "Could not find Identity Provider: https://keycloak_server/auth/realms/BBP.", "args": [], "levelname": "WARNING", "levelno": 30, "pathname": "/usr/lib/python3.6/site-packages/keystone/server/flask/application.py", "filename": "application.py", "module": "application", "lineno": 87, "funcname": "_handle_keystone_exception", "created": 1668612296.6284614, "msecs": 628.4613609313965, "relative_created": 32117.148637771606, "thread": 140579135473408, "thread_name": "Dummy-1", "process_name": "MainProcess", "process": 3051629, "traceback": null, "hostname": "bbpcb030.bbp.epfl.ch", "error_summary": "keystone.exception.IdentityProviderNotFound: Could not find Identity Provider: https://keycloak_server/auth/realms/BBP.", "context": {"user_name": null, "project_name": null, "domain_name": null, "user_domain_name": null, "project_domain_name": null, "user": null, "tenant": null, "system_scope": null, "project": null, "domain": null, "user_domain": null, "project_domain": null, "is_admin": false, "read_only": false, "show_deleted": false, "auth_token": null, "request_id": "req-5187f72d-cb4b-470f-9635-6c05565707eb", "global_request_id": null, "resource_uuid": null, "roles": [], "user_identity": "- - - - -", "is_admin_project": true}, "extra": {"project": null, "version": "unknown"}} And this is how I configured the identity provider, mapping and federation protocol. # openstack identity provider show keycloak +-------------------+-----------------------------------------+ | Field | Value | +-------------------+-----------------------------------------+ | authorization_ttl | None | | description | None | | domain_id | 96a75a2b29b5411497a9971c14a2167c | | enabled | True | | id | keycloak | | remote_ids | https://keycloak_server/auth/realms/BBP | +-------------------+-----------------------------------------+ # openstack mapping show openid_mapping +-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+ | id | openid_mapping | | rules | [{'local': [{'user': {'name': '{0}'}, 'group': {'domain': {'name': 'Default'}, 'name': 'federated_users'}}], 'remote': [{'type': 'OIDC-preferred_username'}]}] | +-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+ # openstack federation protocol show --identity-provider keycloak openid +---------+----------------+ | Field | Value | +---------+----------------+ | id | openid | | mapping | openid_mapping | +---------+----------------+ Can someone please give me a hand with this? Thank you very much, Daniel.