[openstack-ansible] Keystone federation with OpenID needs shibboleth
jonathan.rosser at rd.bbc.co.uk
Wed May 5 15:56:37 UTC 2021
I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .
On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2
can't be co-installed as they require conflicting versions of libcurl -
see the workaround here
For Ubuntu 20.04 these packages are co-installable so whenever keystone
is configured to be a SP both are installed, as here
A starting point would be checking what you've got
keystone_sp.apache_mod set to in your config, as this drives how the
apache config is constructed, here
In particular, if keystone_sp.apache_mod is undefined in your config,
the defaults assume mod_shib is required.
You can also join us in the IRC channel #openstack-ansible we can debug
On 05/05/2021 16:26, Taltavull Jean-Francois wrote:
> Hi All,
> I'm trying to make keystone federation with openid connect work on an Ubuntu 20.04 + Victoria cloud deployed with OSA.
> Despite the fact that I use openid, shibboleth seems to be involved and I had to add "ShibCompatValidUser On" directive to the file "/etc/apache2/conf-available/shib.conf", by hand in the keystone lxc container, in order to successfully authenticate ("valid user: granted" an not "valid user: denied" in apache log file).
> Has anyone already experienced this use case ?
> Thanks and best regards,
More information about the openstack-discuss