-
-
Save odyssey4me/9f44a534e345a1023863 to your computer and use it in GitHub Desktop.
Keystone Federation SP Configuration Example (kilo)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# | |
# Important required settings | |
# | |
# set haproxy to handle ssl offloading | |
# while using haproxy is optional, keystone's public endpoint *must* be https for ADFS to trust it | |
haproxy_ssl: true | |
# set the keystone public endpoint to be https | |
keystone_service_publicuri_proto: "https" | |
# set Horizon to use Keystone's public endpoint (otherwise WebSSO won't work) | |
horizon_endpoint_type: publicURL | |
# use real certificates for Horizon (it makes all the redirects work more smoothly) | |
# these file paths are on the deployment host | |
horizon_user_ssl_cert: /root/test1.pigeonbrawl.net_ssl.crt | |
horizon_user_ssl_key: /root/test1.pigeonbrawl.net_ssl.key | |
horizon_user_ssl_ca_cert: /root/test1.pigeonbrawl.net_ssl_ca-bundle.pem | |
# your SSL certificate is likely using a DNS name, so this must be set | |
horizon_server_name: test1.pigeonbrawl.net | |
# Horizon must use the public endpoint for Keystone, and refer to a name matching the SSL cert | |
# in this test environment, both keystone and Horizon shared a common DNS name | |
horizon_keystone_host: "{{ horizon_server_name }}" | |
horizon_keystone_endpoint: "{{ keystone_service_publicuri_proto }}://{{ horizon_server_name }}:5000/v3" | |
# Ensure that the public endpoint registered for Keystone uses the right name | |
keystone_public_endpoint: "{{ keystone_service_publicuri_proto }}://{{ horizon_server_name }}:5000" | |
keystone_service_publicurl: "{{ horizon_keystone_endpoint }}" | |
# ensure that the token provider is uuid, not fernet | |
# Fernet Tokens in Kilo do not yet support scoped tokens for Federated Identities | |
keystone_token_provider: "keystone.token.providers.uuid.Provider" | |
keystone_token_driver: "keystone.token.persistence.backends.sql.Token" | |
# | |
# Keystone Service Provider Configuration | |
# | |
keystone_sp: | |
cert_duration_years: 5 | |
trusted_dashboard_list: | |
- "https://{{ external_lb_vip_address }}/auth/websso/" | |
- "https://{{ horizon_server_name }}/auth/websso/" | |
trusted_idp_list: | |
- name: 'adfs-idp' | |
entity_ids: | |
- 'http://idp.pigeonbrawl.net/adfs/services/trust' | |
metadata_uri: 'https://idp.pigeonbrawl.net/FederationMetadata/2007-06/FederationMetadata.xml' | |
metadata_file: 'metadata-adfs-idp.xml' | |
metadata_reload: 1800 | |
federated_identities: | |
- domain: Default | |
project: fedproject | |
group: fedgroup | |
role: _member_ | |
protocols: | |
- name: saml2 | |
mapping: | |
name: adfs-idp-mapping | |
rules: | |
- remote: | |
- type: upn | |
local: | |
- group: | |
name: fedgroup | |
domain: | |
name: Default | |
- user: | |
name: '{0}' | |
attributes: | |
- name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn' | |
id: upn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment