« Keystone with OpenID Connect » : différence entre les versions
Sauter à la navigation
Sauter à la recherche
Aucun résumé des modifications |
Aucun résumé des modifications |
||
Ligne 4 : | Ligne 4 : | ||
== Keycloak client configuration == | == Keycloak client and user configuration == | ||
This guide assumes you already have a working Keycloak server. | This guide assumes you already have a working Keycloak server. | ||
Ligne 11 : | Ligne 11 : | ||
* create a client in Keycloak for Keystone | * create a client in Keycloak for Keystone | ||
* configure this client | * configure this client | ||
* creation of groups (one Keycloak group per Openstack project) | |||
* create a user | |||
=== Client creation and settings === | === Client creation and settings === | ||
Ligne 37 : | Ligne 39 : | ||
[[Fichier:keycloak3.png|800px|thumb|center|Keycloak client mappers]] | [[Fichier:keycloak3.png|800px|thumb|center|Keycloak client mappers]] | ||
=== Creation of groups === | |||
One Keycloak group is created per Openstack project. | |||
=== Creation of user === | |||
Create one user, fill its ''username'', ''email'' and affect one (or more) group(s) to this user. |
Version du 21 février 2024 à 15:32
Configure an external Keycloak to provide authentication for Keystone
The objective is to identify a user and allow them to find their projects in Openstack.
Keycloak client and user configuration
This guide assumes you already have a working Keycloak server.
What is covered here is how to :
- create a client in Keycloak for Keystone
- configure this client
- creation of groups (one Keycloak group per Openstack project)
- create a user
Client creation and settings
- Got to your Keycloak admin console and configure a new client (click Create)
- Let's assume your client is named Keystone
- Leave Root URL empty
- Select openid-connect for Client Protocol
- Select confidential for Access Type
- Standard Flow Enabled, Implicit Flow Enabled and Direct Access Grants Enabled must be on
- The *fqdn* for Valid Redirect URIs should match the value of kolla_external_fqdn. If your kolla_internal_fqdn is par1.cloud.ld, then your Valid Redirect URIs should be https://par1.cloud.ld:5000/redirect_uri. You can also add the URI of your Horizon dashboard
- Don't forget to copy the client's key (via Credentials tab)
Client mappers
Add the following mappers to the new client :
- groups via Add Builtin button and type Group Membership
- email via Add Builtin button and type User Property
- username via Add Builtin button and type User Property
Creation of groups
One Keycloak group is created per Openstack project.
Creation of user
Create one user, fill its username, email and affect one (or more) group(s) to this user.