[KEYSTONE][FEDERATION] Groups mapping problem when using keycloak as IDP
jonathan.rosser at rd.bbc.co.uk
Wed Feb 3 18:27:12 UTC 2021
I made a patch to the openstack-ansible keystone role which will
hopefully address this. It would be really helpful if you are able to
test the patch and provide some feedback.
On 03/02/2021 10:03, Taltavull Jean-Francois wrote:
> Actually, the solution is to add this line to Apache configuration:
> OIDCClaimDelimiter ";"
> The problem is that this configuration variable does not exist in OSA keystone role and its apache configuration template (https://opendev.org/openstack/openstack-ansible-os_keystone/src/branch/master/templates/keystone-httpd.conf.j2).
>> -----Original Message-----
>> From: Taltavull Jean-Francois
>> Sent: lundi, 1 février 2021 14:44
>> To: openstack-discuss at lists.openstack.org
>> Subject: [KEYSTONE][FEDERATION] Groups mapping problem when using
>> keycloak as IDP
>> In order to implement identity federation, I've deployed (with OSA) keystone
>> (Ussuri) as Service Provider and Keycloak as IDP.
>> As one can read at , "groups" can have multiple values and each value must
>> be separated by a ";"
>> But, in the OpenID token sent by keycloak, groups are represented with a JSON
>> list and keystone fails to parse it well (only the first group of the list is mapped).
>> Have any of you already faced this problem ?
>> Thanks !
More information about the openstack-discuss