[openstack-ansible] Keystone federation with OpenID needs shibboleth

Jonathan Rosser jonathan.rosser at rd.bbc.co.uk
Wed May 5 15:56:37 UTC 2021

Hi Jean-Francois,

I have a similar deployment of Victoria on Ubuntu 18.04 using OIDC .

On Ubuntu 18.04 libapache2-mod-auth-openidc and libapache2-mod-shib2 
can't be co-installed as they require conflicting versions of libcurl - 
see the workaround here 

For Ubuntu 20.04 these packages are co-installable so whenever keystone 
is configured to be a SP both are installed, as here 

A starting point would be checking what you've got 
keystone_sp.apache_mod set to in your config, as this drives how the 
apache config is constructed, here 

In particular, if keystone_sp.apache_mod is undefined in your config, 
the defaults assume mod_shib is required.

You can also join us in the IRC channel #openstack-ansible we can debug 


On 05/05/2021 16:26, Taltavull Jean-Francois wrote:
> Hi All,
> I'm trying to make keystone federation with openid connect work on an Ubuntu 20.04 + Victoria cloud deployed with OSA.
> Despite the fact that I use openid, shibboleth seems to be involved and I had to add "ShibCompatValidUser On" directive to the file "/etc/apache2/conf-available/shib.conf", by hand in the keystone lxc container, in order to successfully authenticate ("valid user: granted" an not "valid user: denied" in apache log file).
> Has anyone already experienced this use case ?
> Thanks and best regards,
> Jean-Francois

More information about the openstack-discuss mailing list