We need to include the keycloak-httpd-client-install package in RH-OSP 9. This package is needed to be able to configure Keystone for SAML federation against RH-SSO (aka. Keycloak). The Fedora package review for this new package is available here: https://bugzilla.redhat.com/show_bug.cgi?id=1336008
Please upgrade the package in OSP, currently you have keycloak-httpd-client-install-0.3-1 pulled from Fedora, please upgrade it to the next version keycloak-httpd-client-install-0.4-1 (can be located in Fedora rawhide, F24 & F23)
verified for keycloak-httpd-client-install-0.3-1.el7ost.noarch in a RHEL 7.2 deployment of OSP 9 using OSPd 9: [stack@undercloud ~]$ sudo yum install keycloak-httpd-client-install -y ... [stack@undercloud ~]$ rpm --query keycloak-httpd-client-install keycloak-httpd-client-install-0.3-1.el7ost.noarch [stack@undercloud ~]$ keycloak-httpd-client-install --help usage: keycloak-httpd-client-install [-h] [--no-root-check] [-v] [-d] [--show-traceback] [--log-file LOG_FILE] --app-name APP_NAME [--force] [--permit-insecure-transport] [--template-dir TEMPLATE_DIR] [--httpd-dir HTTPD_DIR] -r KEYCLOAK_REALM -s KEYCLOAK_SERVER_URL [-a {root-admin,realm-admin,anonymous}] [-u KEYCLOAK_ADMIN_USERNAME] [-p KEYCLOAK_ADMIN_PASSWORD] [--keycloak-admin-realm KEYCLOAK_ADMIN_REALM] [--initial-access-token INITIAL_ACCESS_TOKEN] [--client-originate-method {descriptor,registration}] [--mellon-key-file MELLON_KEY_FILE] [--mellon-cert-file MELLON_CERT_FILE] [--mellon-hostname MELLON_HOSTNAME] [--mellon-https-port MELLON_HTTPS_PORT] [--mellon-root MELLON_ROOT] [--mellon-endpoint MELLON_ENDPOINT] [--mellon-entity-id MELLON_ENTITY_ID] [--mellon-idp-attr-name MELLON_IDP_ATTR_NAME] [--mellon-organization-name MELLON_ORGANIZATION_NAME] [--mellon-organization-display-name MELLON_ORGANIZATION_DISPLAY_NAME] [--mellon-organization-url MELLON_ORGANIZATION_URL] [-l MELLON_PROTECTED_LOCATIONS] Configure mod_auth_mellon as Keycloak client optional arguments: -h, --help show this help message and exit --no-root-check permit running by non-root (default: True) -v, --verbose be chatty (default: False) -d, --debug turn on debug info (default: False) --show-traceback exceptions print traceback in addition to error message (default: False) --log-file LOG_FILE log file pathname (default: /var/log/python-keycloak- httpd-client/keycloak-httpd-client-install.log) --app-name APP_NAME name of the web app being protected by mellon (default: None) --force forcefully override safety checks (default: False) --permit-insecure-transport Normally secure transport such as TLS is required, defeat this check (default: False) Program Configuration: --template-dir TEMPLATE_DIR Template location (default: /usr/share/keycloak-httpd- client-install/templates) --httpd-dir HTTPD_DIR Template location (default: /etc/httpd) Keycloak IdP: -r KEYCLOAK_REALM, --keycloak-realm KEYCLOAK_REALM realm name (default: None) -s KEYCLOAK_SERVER_URL, --keycloak-server-url KEYCLOAK_SERVER_URL Keycloak server URL (default: None) -a {root-admin,realm-admin,anonymous}, --keycloak-auth-role {root-admin,realm-admin,anonymous} authenticating as what type of user (default: root- admin) (default: root-admin) -u KEYCLOAK_ADMIN_USERNAME, --keycloak-admin-username KEYCLOAK_ADMIN_USERNAME admin user name (default: admin) (default: admin) -p KEYCLOAK_ADMIN_PASSWORD, --keycloak-admin-password KEYCLOAK_ADMIN_PASSWORD admin password (use - to read from stdin) (default: None) --keycloak-admin-realm KEYCLOAK_ADMIN_REALM realm admin belongs to (default: master) --initial-access-token INITIAL_ACCESS_TOKEN realm initial access token for client registeration (default: None) --client-originate-method {descriptor,registration} select Keycloak method for creating SAML client (default: descriptor) Mellon SP: --mellon-key-file MELLON_KEY_FILE certficate key file (default: None) --mellon-cert-file MELLON_CERT_FILE certficate file (default: None) --mellon-hostname MELLON_HOSTNAME Machine's fully qualified host name (default: undercloud.redhat.local) --mellon-https-port MELLON_HTTPS_PORT SSL/TLS port on mellon-hostname (default: 443) --mellon-root MELLON_ROOT common root ancestor for all mellon endpoints (default: /) --mellon-endpoint MELLON_ENDPOINT Used to form the MellonEndpointPath, e.g. {mellon_root}/{mellon_endpoint}. (default: mellon) --mellon-entity-id MELLON_ENTITY_ID SP SAML Entity ID (default: None) --mellon-idp-attr-name MELLON_IDP_ATTR_NAME name of the attribute Mellon adds which will contain the IdP entity id (default: IDP) --mellon-organization-name MELLON_ORGANIZATION_NAME Add SAML OrganizationName to SP metadata (default: None) --mellon-organization-display-name MELLON_ORGANIZATION_DISPLAY_NAME Add SAML OrganizationDisplayName to SP metadata (default: None) --mellon-organization-url MELLON_ORGANIZATION_URL Add SAML OrganizationURL to SP metadata (default: None) -l MELLON_PROTECTED_LOCATIONS, --mellon-protected-locations MELLON_PROTECTED_LOCATIONS Web location to protect with Mellon. May be specified multiple times (default: [])
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-1597.html