An issue that always happen when configuring federation (Federated Identity feature) is that mod_auth_mellon needs to be reinstalled in the controllers for it to work properly. Below we can check some of the configuration files from the module are missing:
[root@controller-2 ~]# rpm -ql mod_auth_mellon
[root@controller-2 ~]# ls /etc/httpd/conf.d/ | grep mellon
[root@controller-2 ~]# ls /etc/httpd/conf.modules.d/ | grep mellon
Set the component to "openstack-tripleo", please reassign it for the correct package if it is the case.
This is probably happening because puppet (via the apache module) will remove any modules not accounted for in our apache configuration. We would need to explicitly ensure that ::apache::mod::auth_mellon is included when configuring federation with mod_auth_mellon
*** Bug 1497718 has been marked as a duplicate of this bug. ***
Note: bug #1497718 which was closed as a duplicate of this one contains some additional information concerning how to get mod_auth_mellon under Puppet control, you may wish to review that material.
Made some light edits to content. Confirmed that John's new section is in the published version of the OSP12 guide: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html-single/federate_with_identity_service/#prerequisites