Bug 1902316
| Summary: | [RFE] Integrate AZURE AD as an Identity Provider using Keystone's Federation. | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Pierre-Andre MOREY <pmorey> |
| Component: | openstack-keystone | Assignee: | Dave Wilde <dwilde> |
| Status: | CLOSED DUPLICATE | QA Contact: | Jeremy Agee <jagee> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 16.1 (Train) | CC: | dcaspin, dwilde, hrybacki, oblaut, oskari.lemmela |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | Flags: | ifrangs:
needinfo?
(dwilde) |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-10 21:22:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Pierre-Andre MOREY
2020-11-27 17:14:41 UTC
We noticed one configuration parameter which needs to be added to keystone httpd configuration to allow azure pass more than 5 groups in token. Settings OIDCResponseMode "form_post" allows bigger tokens to be sent. Currently there is no way to set this parameters via puppet parameters. Azure also uses jwks to verify tokens. following puppet parameters need to be added to configuration ExtraConfig: keystone::federation::openidc::openidc_verify_method: jwks keystone::federation::openidc::openidc_verify_jwks_uri: https://login.microsoftonline.com/{{ azure_auth_tenant }}/discovery/v2.0/keys keystone::federation::openidc::openidc_claim_delimiter: ";" |