odyssey4me/keystone_sp.yml Secret

## keystone_sp.yml
---
#
# Important required settings
#

# set haproxy to handle ssl offloading
# while using haproxy is optional, keystone's public endpoint *must* be https for ADFS to trust it
haproxy_ssl: true

# set the keystone public endpoint to be https
keystone_service_publicuri_proto: "https"

# set Horizon to use Keystone's public endpoint (otherwise WebSSO won't work)
horizon_endpoint_type: publicURL

# use real certificates for Horizon (it makes all the redirects work more smoothly)
# these file paths are on the deployment host
horizon_user_ssl_cert: /root/test1.pigeonbrawl.net_ssl.crt
horizon_user_ssl_key: /root/test1.pigeonbrawl.net_ssl.key
horizon_user_ssl_ca_cert: /root/test1.pigeonbrawl.net_ssl_ca-bundle.pem

# your SSL certificate is likely using a DNS name, so this must be set
horizon_server_name: test1.pigeonbrawl.net

# Horizon must use the public endpoint for Keystone, and refer to a name matching the SSL cert
# in this test environment, both keystone and Horizon shared a common DNS name
horizon_keystone_host: "{{ horizon_server_name }}"
horizon_keystone_endpoint: "{{ keystone_service_publicuri_proto }}://{{ horizon_server_name }}:5000/v3"

# Ensure that the public endpoint registered for Keystone uses the right name
keystone_public_endpoint: "{{ keystone_service_publicuri_proto }}://{{ horizon_server_name }}:5000"
keystone_service_publicurl: "{{ horizon_keystone_endpoint }}"

# ensure that the token provider is uuid, not fernet
# Fernet Tokens in Kilo do not yet support scoped tokens for Federated Identities
keystone_token_provider: "keystone.token.providers.uuid.Provider"
keystone_token_driver: "keystone.token.persistence.backends.sql.Token"

#
# Keystone Service Provider Configuration
#
keystone_sp:
  cert_duration_years: 5
  trusted_dashboard_list:
    - "https://{{ external_lb_vip_address }}/auth/websso/"
    - "https://{{ horizon_server_name }}/auth/websso/"
  trusted_idp_list:
    - name: 'adfs-idp'
      entity_ids:
       - 'http://idp.pigeonbrawl.net/adfs/services/trust'
      metadata_uri: 'https://idp.pigeonbrawl.net/FederationMetadata/2007-06/FederationMetadata.xml'
      metadata_file: 'metadata-adfs-idp.xml'
      metadata_reload: 1800
      federated_identities:
        - domain: Default
          project: fedproject
          group: fedgroup
          role: _member_
      protocols:
        - name: saml2
          mapping:
            name: adfs-idp-mapping
            rules:
              - remote:
                  - type: upn
                local:
                  - group:
                      name: fedgroup
                      domain:
                        name: Default
                  - user:
                      name: '{0}'
          attributes:
            - name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
              id: upn
	---
	#
	# Important required settings
	#

	# set haproxy to handle ssl offloading
	# while using haproxy is optional, keystone's public endpoint must be https for ADFS to trust it
	haproxy_ssl: true

	# set the keystone public endpoint to be https
	keystone_service_publicuri_proto: "https"

	# set Horizon to use Keystone's public endpoint (otherwise WebSSO won't work)
	horizon_endpoint_type: publicURL

	# use real certificates for Horizon (it makes all the redirects work more smoothly)
	# these file paths are on the deployment host
	horizon_user_ssl_cert: /root/test1.pigeonbrawl.net_ssl.crt
	horizon_user_ssl_key: /root/test1.pigeonbrawl.net_ssl.key
	horizon_user_ssl_ca_cert: /root/test1.pigeonbrawl.net_ssl_ca-bundle.pem

	# your SSL certificate is likely using a DNS name, so this must be set
	horizon_server_name: test1.pigeonbrawl.net

	# Horizon must use the public endpoint for Keystone, and refer to a name matching the SSL cert
	# in this test environment, both keystone and Horizon shared a common DNS name
	horizon_keystone_host: "{{ horizon_server_name }}"
	horizon_keystone_endpoint: "{{ keystone_service_publicuri_proto }}://{{ horizon_server_name }}:5000/v3"

	# Ensure that the public endpoint registered for Keystone uses the right name
	keystone_public_endpoint: "{{ keystone_service_publicuri_proto }}://{{ horizon_server_name }}:5000"
	keystone_service_publicurl: "{{ horizon_keystone_endpoint }}"

	# ensure that the token provider is uuid, not fernet
	# Fernet Tokens in Kilo do not yet support scoped tokens for Federated Identities
	keystone_token_provider: "keystone.token.providers.uuid.Provider"
	keystone_token_driver: "keystone.token.persistence.backends.sql.Token"

	#
	# Keystone Service Provider Configuration
	#
	keystone_sp:
	cert_duration_years: 5
	trusted_dashboard_list:
	- "https://{{ external_lb_vip_address }}/auth/websso/"
	- "https://{{ horizon_server_name }}/auth/websso/"
	trusted_idp_list:
	- name: 'adfs-idp'
	entity_ids:
	- 'http://idp.pigeonbrawl.net/adfs/services/trust'
	metadata_uri: 'https://idp.pigeonbrawl.net/FederationMetadata/2007-06/FederationMetadata.xml'
	metadata_file: 'metadata-adfs-idp.xml'
	metadata_reload: 1800
	federated_identities:
	- domain: Default
	project: fedproject
	group: fedgroup
	role: _member_
	protocols:
	- name: saml2
	mapping:
	name: adfs-idp-mapping
	rules:
	- remote:
	- type: upn
	local:
	- group:
	name: fedgroup
	domain:
	name: Default
	- user:
	name: '{0}'
	attributes:
	- name: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn'
	id: upn