Description of problem: We have a Telco customer, who uses Azure AD as a solution for authentication and users management and he would like to have keystone able to use it as a provider. RHOSP 16.1.2 It seems that Azure AD supports OpenID. Regards, Pierre-André
We noticed one configuration parameter which needs to be added to keystone httpd configuration to allow azure pass more than 5 groups in token. Settings OIDCResponseMode "form_post" allows bigger tokens to be sent. Currently there is no way to set this parameters via puppet parameters. Azure also uses jwks to verify tokens. following puppet parameters need to be added to configuration ExtraConfig: keystone::federation::openidc::openidc_verify_method: jwks keystone::federation::openidc::openidc_verify_jwks_uri: https://login.microsoftonline.com/{{ azure_auth_tenant }}/discovery/v2.0/keys keystone::federation::openidc::openidc_claim_delimiter: ";"