<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p>Hello,</p>
<p><br>
</p>
<p>this is a bit of a long shot but maybe some of you succesfully configured Openstack to use Keycloak as an Identity Provider so we can use Single Sign-On on Horizon.<br>
</p>
<p><br>
</p>
<p><span>To install and configure OpenStack Keystone</span> I am using 'stable/xena' version of the
<a href="https://github.com/openstack/puppet-keystone" class="OWAAutoLink" id="LPlnk623022" previewremoved="true">
https://github.com/openstack/puppet-keystone</a> . Likewise for Horizon. So far so good.</p>
<p><br>
</p>
<p>I would like to enable <span>openid</span> in <span>Keystone</span> so I can have Single Sign-On via Horizon.</p>
<p><br>
</p>
<p>I am pretty much following the official docs: <a href="https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html" class="OWAAutoLink" id="LPlnk773905" previewremoved="true">
https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html</a> with the help of the puppet module.<br>
</p>
<p><br>
</p>
<p>To do it I included the class:</p>
<p><br>
</p>
<p><span style="font-family: Consolas, Courier, monospace;">include ::keystone::federation::openidc</span></p>
<p></p>
<div><br>
</div>
<div>And configured some hiera variables:</div>
<div><br>
</div>
<div><span style="font-family: Consolas, Courier, monospace;">keystone::federation::openidc::keystone_url: "https://</span><span style="font-family: Consolas, Courier, monospace;">openstackdev.loadbalancer</span><span style="font-family: Consolas, Courier, monospace;">:5000"</span><br>
<span style="font-family: Consolas, Courier, monospace;">keystone::federation::openidc::methods: 'password,token,oauth1,mapped,openid'</span><br>
<span style="font-family: Consolas, Courier, monospace;">keystone::federation::openidc::idp_name: 'keycloak'</span><br>
<span style="font-family: Consolas, Courier, monospace;">keystone::federation::openidc::openidc_provider_metadata_url: 'https://keycloak_server/auth/realms/BBP/.well-known/openid-configuration'</span><br>
<span style="font-family: Consolas, Courier, monospace;">keystone::federation::openidc::openidc_client_id: 'a_keycloak_client'</span></div>
<div><span><span style="font-family: Consolas, Courier, monospace;">keystone::federation::openidc::openidc_client_secret</span><span style="font-family: Consolas, Courier, monospace;">: <redacted></span><br>
</span></div>
<div><span style="font-family: Consolas, Courier, monospace;">keystone::federation::openidc::openidc_crypto_passphrase</span><span style="font-family: Consolas, Courier, monospace;">: <redacted></span><br>
<span style="font-family: Consolas, Courier, monospace;">keystone::federation::openidc::remote_id_attribute: 'HTTP_OIDC_ISS'</span></div>
<div><br>
</div>
<div>And this is the resulting relevant configuration in <span>/etc/httpd/conf.d/10-keystone_wsgi.conf</span></div>
<div><br>
</div>
<div>
<div><span style="font-family: Consolas, Courier, monospace;"> [...]<br>
</span></div>
<div><span style="font-family: Consolas, Courier, monospace;"> OIDCClaimPrefix "OIDC-"</span><br>
<span style="font-family: Consolas, Courier, monospace;"> OIDCResponseType "id_token"</span><br>
<span style="font-family: Consolas, Courier, monospace;"> OIDCScope "openid email profile"</span><br>
<span style="font-family: Consolas, Courier, monospace;"> OIDCProviderMetadataURL "https://</span><span style="font-family: Consolas, Courier, monospace;">keycloak_server</span><span style="font-family: Consolas, Courier, monospace;">/auth/realms/BBP/.well-known/openid-configuration"</span><br>
<span style="font-family: Consolas, Courier, monospace;"> OIDCClientID "<span style="font-family: Consolas, Courier, monospace;">a_keycloak_client</span>"</span><br>
<span style="font-family: Consolas, Courier, monospace;"> OIDCClientSecret </span>
<span style="font-family: Consolas, Courier, monospace;"><redacted></span><br>
<span style="font-family: Consolas, Courier, monospace;"> OIDCCryptoPassphrase </span>
<span style="font-family: Consolas, Courier, monospace;"><redacted></span><br>
<br>
<br>
<span style="font-family: Consolas, Courier, monospace;"> # The following directives are necessary to support websso from Horizon</span><br>
<span style="font-family: Consolas, Courier, monospace;"> # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)</span><br>
<span style="font-family: Consolas, Courier, monospace;"> OIDCRedirectURI "https://</span><span><span style="font-family: Consolas, Courier, monospace;">openstackdev.loadbalancer</span></span><span style="font-family: Consolas, Courier, monospace;">:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso"</span><br>
<span style="font-family: Consolas, Courier, monospace;"> OIDCRedirectURI "https://</span><span style="font-family: Consolas, Courier, monospace;">openstackdev.loadbalancer</span><span style="font-family: Consolas, Courier, monospace;">:5000/v3/auth/OS-FEDERATION/websso/openid"</span><br>
<br>
<span style="font-family: Consolas, Courier, monospace;"> <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid"></span><br>
<span style="font-family: Consolas, Courier, monospace;"> AuthType "openid-connect"</span><br>
<span style="font-family: Consolas, Courier, monospace;"> Require valid-user</span><br>
<span style="font-family: Consolas, Courier, monospace;"> </LocationMatch></span><br>
<br>
<span style="font-family: Consolas, Courier, monospace;"> <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso"></span><br>
<span style="font-family: Consolas, Courier, monospace;"> AuthType "openid-connect"</span><br>
<span style="font-family: Consolas, Courier, monospace;"> Require valid-user</span><br>
<span style="font-family: Consolas, Courier, monospace;"> </LocationMatch></span><br>
</div>
<div>------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
</div>
</div>
<div><br>
</div>
<div>But unfortunately this does not work. First of all, the <span>OIDCRedirectURI</span> the module set points to a valid URL with content.</div>
<div>So I manually changed them by:</div>
<div><br>
</div>
<div>
<div><span style="font-family: Consolas, Courier, monospace;"> OIDCRedirectURI "https://</span><span><span style="font-family: Consolas, Courier, monospace;">openstackdev.loadbalancer</span></span><span style="font-family: Consolas, Courier, monospace;">:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso/redirect_url"</span><br>
<span style="font-family: Consolas, Courier, monospace;"> OIDCRedirectURI "https://</span><span><span><span style="font-family: Consolas, Courier, monospace;">openstackdev.loadbalancer</span></span></span><span style="font-family: Consolas, Courier, monospace;">:5000/v3/auth/OS-FEDERATION/websso/openid/</span><span style="font-family: Consolas, Courier, monospace;">redirect_url</span><span style="font-family: Consolas, Courier, monospace;">"</span></div>
<div><br>
</div>
<div>After changing that now I get redirected to the Keycloak login page and I am able to enter my username and pass, after the login is done I get redirected to:
<a href="https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://openstackdev./dashboard/auth/websso/" class="OWAAutoLink" id="LPlnk200804" previewremoved="true">
https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://</a><a href="https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://openstackdev./dashboard/auth/websso/" class="OWAAutoLink" id="LPlnk200804" previewremoved="true">openstackdev.loadbalancer</a>/dashboard/auth/websso/
and it shows the following error:<br>
</div>
<br>
</div>
<div>
<table class="treeTable " role="tree" aria-labelaria-activedescendant="/error/title" tabindex="0" cellspacing="0" cellpadding="0">
<tbody role="presentation" tabindex="-1">
<tr id="/error" role="treeitem" aria-level="1" aria-selected="false" aria-expanded="true" class="treeRow objectRow hasChildren opened ">
<td class="treeLabelCell " style="--tree-label-cell-indent: 0px;" role="presentation">
<span class="treeIcon theme-twisty open" role="presentation"></span><span class="treeLabel objectLabel" aria-labelledby="default" data-level="0">error</span></td>
<td class="treeValueCell objectCell " role="presentation"><span aria-labelledby="value"></span><br>
</td>
</tr>
<tr id="/error/code" role="treeitem" aria-level="2" aria-selected="false" class="treeRow numberRow opened ">
<td class="treeLabelCell " style="--tree-label-cell-indent: 16px;" role="presentation">
<span class="treeIcon open" role="presentation"></span><span class="treeLabel numberLabel" aria-labelledby="default" data-level="1">code</span></td>
<td class="treeValueCell numberCell " role="presentation"><span aria-labelledby="value"><span class="objectBox objectBox-number">404</span></span></td>
</tr>
<tr id="/error/message" role="treeitem" aria-level="2" aria-selected="false" class="treeRow stringRow hasChildren opened ">
<td class="treeLabelCell " style="--tree-label-cell-indent: 16px;" role="presentation">
<span class="treeIcon theme-twisty open" role="presentation"></span><span class="treeLabel stringLabel" aria-labelledby="default" data-level="1">message</span></td>
<td class="treeValueCell stringCell " role="presentation"><span aria-labelledby="value"><span class="objectBox objectBox-string">"Could not find Identity Provider:
<a class="url" title="https://bbpauth.epfl.ch/auth/realms/BBP" draggable="false" href="https://bbpauth.epfl.ch/auth/realms/BBP" target="_blank" rel="noopener noreferrer" tabindex="-1">
https://<span>keycloak_server</span>/auth/realms/BBP</a>."</span></span></td>
</tr>
<tr id="/error/title" role="treeitem" aria-level="2" aria-selected="true" class="treeRow stringRow opened selected ">
<td class="treeLabelCell " style="--tree-label-cell-indent: 16px;" role="presentation">
<span class="treeIcon open" role="presentation"></span><span class="treeLabel stringLabel" aria-labelledby="default" data-level="1">title</span></td>
<td class="treeValueCell stringCell " role="presentation"><span aria-labelledby="value"><span class="objectBox objectBox-string">"Not Found"</span></span></td>
</tr>
<tr id="/error/title" role="treeitem" aria-level="2" aria-selected="true" class="treeRow stringRow opened selected ">
<td class="treeLabelCell " style="--tree-label-cell-indent: 16px;" role="presentation" rowspan="1">
<br>
<br>
</td>
<td class="treeValueCell stringCell " role="presentation" rowspan="1"><br>
</td>
</tr>
</tbody>
</table>
And in: <span>/var/log/keystone/keystone.log</span><br>
</div>
<div><br>
</div>
<div>
<div><span style="font-family: Consolas, Courier, monospace;">{"message": "Could not find Identity Provider: https://</span><span style="font-family: Consolas, Courier, monospace;">keycloak_server</span><span style="font-family: Consolas, Courier, monospace;">/auth/realms/BBP.",
"asctime": "2022-11-16 16:24:56", "name": "keystone.server.flask.application", "msg": "Could not find Identity Provider: https://</span><span style="font-family: Consolas, Courier, monospace;">keycloak_server</span><span style="font-family: Consolas, Courier, monospace;">/auth/realms/BBP.",
"args": [], "levelname": "WARNING", "levelno": 30, "pathname": "/usr/lib/python3.6/site-packages/keystone/server/flask/application.py", "filename": "application.py", "module": "application", "lineno": 87, "funcname": "_handle_keystone_exception", "created":
1668612296.6284614, "msecs": 628.4613609313965, "relative_created": 32117.148637771606, "thread": 140579135473408, "thread_name": "Dummy-1", "process_name": "MainProcess", "process": 3051629, "traceback": null, "hostname": "bbpcb030.bbp.epfl.ch", "error_summary":
"keystone.exception.IdentityProviderNotFound: Could not find Identity Provider: https://</span><span style="font-family: Consolas, Courier, monospace;">keycloak_server</span><span style="font-family: Consolas, Courier, monospace;">/auth/realms/BBP.", "context":
{"user_name": null, "project_name": null, "domain_name": null, "user_domain_name": null, "project_domain_name": null, "user": null, "tenant": null, "system_scope": null, "project": null, "domain": null, "user_domain": null, "project_domain": null, "is_admin":
false, "read_only": false, "show_deleted": false, "auth_token": null, "request_id": "req-5187f72d-cb4b-470f-9635-6c05565707eb", "global_request_id": null, "resource_uuid": null, "roles": [], "user_identity": "- - - - -", "is_admin_project": true}, "extra":
{"project": null, "version": "unknown"}}</span><br>
<br>
</div>
<div>And this is how I configured the identity provider, mapping and federation protocol.</div>
<div><br>
</div>
<div>
<div># openstack identity provider show keycloak<br>
<span style="font-family: Consolas, Courier, monospace;">+-------------------+-----------------------------------------+</span><br>
<span style="font-family: Consolas, Courier, monospace;">| Field | Value |</span><br>
<span style="font-family: Consolas, Courier, monospace;">+-------------------+-----------------------------------------+</span><br>
<span style="font-family: Consolas, Courier, monospace;">| authorization_ttl | None |</span><br>
<span style="font-family: Consolas, Courier, monospace;">| description | None |</span><br>
<span style="font-family: Consolas, Courier, monospace;">| domain_id | 96a75a2b29b5411497a9971c14a2167c |</span><br>
<span style="font-family: Consolas, Courier, monospace;">| enabled | True |</span><br>
<span style="font-family: Consolas, Courier, monospace;">| id | keycloak |</span><br>
<span style="font-family: Consolas, Courier, monospace;">| remote_ids | https://keycloak_server/auth/realms/BBP |</span><br>
<span style="font-family: Consolas, Courier, monospace;">+-------------------+-----------------------------------------+</span><br>
# openstack mapping show openid_mapping<br>
<span style="font-family: Consolas, Courier, monospace;">+-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+</span><br>
<span style="font-family: Consolas, Courier, monospace;">| Field | Value |</span><br>
<span style="font-family: Consolas, Courier, monospace;">+-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+</span><br>
<span style="font-family: Consolas, Courier, monospace;">| id | openid_mapping |</span><br>
<span style="font-family: Consolas, Courier, monospace;">| rules | [{'local': [{'user': {'name': '{0}'}, 'group': {'domain': {'name': 'Default'}, 'name': 'federated_users'}}], 'remote': [{'type': 'OIDC-preferred_username'}]}] |</span><br>
<span style="font-family: Consolas, Courier, monospace;">+-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+</span><br>
# openstack federation protocol show --identity-provider keycloak openid<br>
<span style="font-family: Consolas, Courier, monospace;">+---------+----------------+</span><br>
<span style="font-family: Consolas, Courier, monospace;">| Field | Value |</span><br>
<span style="font-family: Consolas, Courier, monospace;">+---------+----------------+</span><br>
<span style="font-family: Consolas, Courier, monospace;">| id | openid |</span><br>
<span style="font-family: Consolas, Courier, monospace;">| mapping | openid_mapping |</span><br>
<span style="font-family: Consolas, Courier, monospace;">+---------+----------------+</span><br>
</div>
<div><br>
</div>
<div>Can someone please give me a hand with this?</div>
<div><br>
</div>
<div>Thank you very much,</div>
<div>Daniel.<br>
</div>
</div>
</div>
<br>
<p></p>
</div>
</body>
</html>