Allow OIDCClaimDelimiter to be set in the apache config file

This may be necessary for federation where there are multiple OIDC groups that are separate by a ';'. See [1]. [1] https://docs.openstack.org/keystone/ussuri/admin/federation/mapping_combinations.html Change-Id: I68c0b138955693c8d1992f986878862ea12f5149
2021-02-03 17:09:27 +00:00 · 2021-02-03 17:09:27 +00:00 · b71f4853e3
commit b71f4853e3
parent c0448282ef
1 changed files with 3 additions and 0 deletions
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -62,6 +62,9 @@ Listen {{ keystone_service_port }}
    {% if keystone_sp.trusted_idp_list.0.oidc_default_url is defined -%}
    OIDCDefaultURL {{ keystone_sp.trusted_idp_list.0.oidc_default_url }}
    {% endif %}
+    {% if keystone_sp.trusted_idp_list.0.oidc_claim_delimiter is defined -%}
+    OIDCClaimDelimiter "{{ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter }}"
+    {% endif %}

    <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
      Require valid-user