[KEYSTONE][FEDERATION] Groups mapping problem when using keycloak as IDP

Taltavull Jean-Francois jean-francois.taltavull at elca.ch
Mon Feb 8 13:44:26 UTC 2021


Hi Jonathan,

I cherry-picked the patch on the os_keystone role installed by OSA 21.2.2 and it works.

Thanks !

Jean-Francois

> -----Original Message-----
> From: Jonathan Rosser <jonathan.rosser at rd.bbc.co.uk>
> Sent: mercredi, 3 février 2021 19:27
> To: openstack-discuss at lists.openstack.org
> Subject: Re: [KEYSTONE][FEDERATION] Groups mapping problem when using
> keycloak as IDP
> 
> Hi Jean-Francois,
> 
> I made a patch to the openstack-ansible keystone role which will hopefully
> address this. It would be really helpful if you are able to test the patch and
> provide some feedback.
> 
> https://review.opendev.org/c/openstack/openstack-ansible-
> os_keystone/+/773978
> 
> Regards,
> Jonathan.
> 
> On 03/02/2021 10:03, Taltavull Jean-Francois wrote:
> > Hello,
> >
> > Actually, the solution is to add this line to Apache configuration:
> > OIDCClaimDelimiter ";"
> >
> > The problem is that this configuration variable does not exist in OSA keystone
> role and its apache configuration template
> (https://opendev.org/openstack/openstack-ansible-
> os_keystone/src/branch/master/templates/keystone-httpd.conf.j2).
> >
> >
> > Jean-Francois
> >
> >> -----Original Message-----
> >> From: Taltavull Jean-Francois
> >> Sent: lundi, 1 février 2021 14:44
> >> To: openstack-discuss at lists.openstack.org
> >> Subject: [KEYSTONE][FEDERATION] Groups mapping problem when using
> >> keycloak as IDP
> >>
> >> Hello,
> >>
> >> In order to implement identity federation, I've deployed (with OSA)
> >> keystone
> >> (Ussuri) as Service Provider and Keycloak as IDP.
> >>
> >> As one can read at [1], "groups" can have multiple values and each
> >> value must be separated by a ";"
> >>
> >> But, in the OpenID token sent by keycloak, groups are represented
> >> with a JSON list and keystone fails to parse it well (only the first group of the
> list is mapped).
> >>
> >> Have any of you already faced this problem ?
> >>
> >> Thanks !
> >>
> >> Jean-François
> >>
> >> [1]
> >> https://docs.openstack.org/keystone/ussuri/admin/federation/mapping_c
> >> ombi
> >> nations.html
> >



More information about the openstack-discuss mailing list