Keystone with OpenID Connect

De TeriaHowto
Sauter à la navigation Sauter à la recherche

Configure an external Keycloak to provide authentication for Keystone
The objective is to identify a user and allow them to find their projects in Openstack.


Keycloak client configuration

This guide assumes you already have a working Keycloak server.
What is covered here is how to :

  • create a client in Keycloak for Keystone
  • configure this client

Client creation and settings

  • Got to your Keycloak admin console and configure a new client (click Create)
Fichier:Keycloak1.png
Keycloak admin console
  • Let's assume your client is named Keystone
    • Leave Root URL empty
    • Select openid-connect for Client Protocol
    • Select confidential for Access Type
    • Standard Flow Enabled, Implicit Flow Enabled and Direct Access Grants Enabled must be on
    • The *fqdn* for Valid Redirect URIs should match the value of kolla_external_fqdn. If your kolla_internal_fqdn is par1.cloud.ld, then your Valid Redirect URIs should be https://par1.cloud.ld:5000/redirect_uri. You can also add the URI of your Horizon dashboard
Fichier:Keycloak2.png
Keycloak client settings
  • Don't forget to copy the client's key (via Credentials tab)

Client mappers

Add the following mappers to the new client :

  • groups via Add Builtin button and type Group Membership
  • email via Add Builtin button and type User Property
  • username via Add Builtin button and type User Property
Fichier:Keycloak3.png
Keycloak client mappers
Récupérée de « http://wiki.teria.org/howto/index.php?title=Keystone_with_OpenID_Connect&oldid=570 »