Bug 1902316

Summary: [RFE] Integrate AZURE AD as an Identity Provider using Keystone's Federation.
Product: Red Hat OpenStack Reporter: Pierre-Andre MOREY <pmorey>
Component: openstack-keystoneAssignee: Dave Wilde <dwilde>
Status: CLOSED DUPLICATE QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 16.1 (Train)CC: dcaspin, dwilde, hrybacki, oblaut, oskari.lemmela
Target Milestone: ---Keywords: FutureFeature
Target Release: ---Flags: ifrangs: needinfo? (dwilde)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 21:22:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pierre-Andre MOREY 2020-11-27 17:14:41 UTC 
Description of problem:

We have a Telco customer, who uses Azure AD as a solution for authentication and users management and he would like to have keystone able to use it as a provider.


RHOSP 16.1.2

It seems that Azure AD supports OpenID.

Regards,
Pierre-André
Comment 4 Oskari Lemmela 2021-03-23 13:44:04 UTC 
We noticed one configuration parameter which needs to be added to keystone httpd configuration to allow azure pass more than 5 groups in token.

Settings OIDCResponseMode "form_post" allows bigger tokens to be sent. Currently there is no way to set this parameters via puppet parameters.

Azure also uses jwks to verify tokens. following puppet parameters need to be added to configuration

ExtraConfig:
  keystone::federation::openidc::openidc_verify_method: jwks
  keystone::federation::openidc::openidc_verify_jwks_uri: https://login.microsoftonline.com/{{ azure_auth_tenant }}/discovery/v2.0/keys
  keystone::federation::openidc::openidc_claim_delimiter: ";"