Keystone with OpenID Connect
Sauter à la navigation
Sauter à la recherche
Configure an external Keycloak to provide authentication for Keystone
The objective is to identify a user and allow them to find their projects in Openstack.
Keycloak client and user configuration
This guide assumes you already have a working Keycloak server.
What is covered here is how to :
- create a client in Keycloak for Keystone
- configure this client
- creation of groups (one Keycloak group per Openstack project)
- create a user
Client creation and settings
- Got to your Keycloak admin console and configure a new client (click Create)
- Let's assume your client is named Keystone
- Leave Root URL empty
- Select openid-connect for Client Protocol
- Select confidential for Access Type
- Standard Flow Enabled, Implicit Flow Enabled and Direct Access Grants Enabled must be on
- The *fqdn* for Valid Redirect URIs should match the value of kolla_external_fqdn. If your kolla_internal_fqdn is par1.cloud.ld, then your Valid Redirect URIs should be https://par1.cloud.ld:5000/redirect_uri. You can also add the URI of your Horizon dashboard
- Don't forget to copy the client's key (via Credentials tab)
Client mappers
Add the following mappers to the new client :
- groups via Add Builtin button and type Group Membership
- email via Add Builtin button and type User Property
- username via Add Builtin button and type User Property
Creation of groups
One Keycloak group is created per Openstack project.
Creation of user
Create one user, fill its username, email and affect one (or more) group(s) to this user.
