[KEYSTONE][FEDERATION] Groups mapping problem when using keycloak as IDP

Taltavull Jean-Francois jean-francois.taltavull at elca.ch
Wed Feb 3 10:03:53 UTC 2021


Actually, the solution is to add this line to Apache configuration:
OIDCClaimDelimiter ";"

The problem is that this configuration variable does not exist in OSA keystone role and its apache configuration template (https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/templates/keystone-httpd.conf.j2).


> -----Original Message-----
> From: Taltavull Jean-Francois
> Sent: lundi, 1 février 2021 14:44
> To: openstack-discuss at lists.openstack.org
> Subject: [KEYSTONE][FEDERATION] Groups mapping problem when using
> keycloak as IDP
> Hello,
> In order to implement identity federation, I've deployed (with OSA) keystone
> (Ussuri) as Service Provider and Keycloak as IDP.
> As one can read at [1], "groups" can have multiple values and each value must
> be separated by a ";"
> But, in the OpenID token sent by keycloak, groups are represented with a JSON
> list and keystone fails to parse it well (only the first group of the list is mapped).
> Have any of you already faced this problem ?
> Thanks !
> Jean-François
> [1]
> https://docs.openstack.org/keystone/ussuri/admin/federation/mapping_combi
> nations.html

More information about the openstack-discuss mailing list