tripleo-heat-templates/environments/enable-federation-openidc.yaml

88 lines
3.3 KiB
YAML

# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Enable keystone federation with OpenID Connect
# description: |
# This is an example template on how to configure keystone federation for
# the OpenID Connect protocol. You must modify the parameters to use
# values appropriate for your identity provider.
parameter_defaults:
# A list of methods used for authentication.
# Type: comma_delimited_list
KeystoneAuthMethods: password,token,openid
# The client ID to use when handshaking with your OpenID Connect provider
# Type: string
KeystoneOpenIdcClientId: myclientid
# The client secret to use when handshaking with your OpenID Connect provider
# Type: string
KeystoneOpenIdcClientSecret: myclientsecret
# Passphrase to use when encrypting data for OpenID Connect handshake.
# Type: string
KeystoneOpenIdcCryptoPassphrase: openstack
# The name associated with the IdP in Keystone.
# Type: string
KeystoneOpenIdcIdpName: myidp
# OAuth 2.0 introspection endpoint for mod_auth_openidc
# Type: string
KeystoneOpenIdcIntrospectionEndpoint: https://myidp.example.test/auth/realms/openstack/protocol/openid-connect/token/introspect
# The url that points to your OpenID Connect provider metadata
# Type: string
KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration
# Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
# Type: string
KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS
# Response type to be expected from the OpenID Connect provider.
# Type: string
KeystoneOpenIdcResponseType: id_token
# A list of dashboard URLs trusted for single sign-on.
# Type: comma_delimited_list
KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/
# Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
# Type: json
WebSSOChoices: [['OIDC', 'OpenID Connect']]
# Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.
# Type: json
WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}
# The initial authentication choice to select by default
# Type: string
WebSSOInitialChoice: OIDC
# ******************************************************
# Static parameters - these are values that must be
# included in the environment but should not be changed.
# ******************************************************
# Enable support for federated authentication.
# Type: boolean
KeystoneFederationEnable: True
# Enable support for OpenIDC federation.
# Type: boolean
KeystoneOpenIdcEnable: True
# Enable OAuth 2.0 integration.
# Type: boolean
KeystoneOpenIdcEnableOAuth: True
# Enable support for Web Single Sign-On
# Type: boolean
WebSSOEnable: True
# *********************
# End static parameters
# *********************