78ee893158
This adds support for configuring horizon for WebSSO when keystone federation with OpenID Connect is enabled. This patch just exposes some new parameters to use puppet-horizon for configuration. The sample environment file for OpenID Connect federation is also updated to use the new parameters. Some of the sample defaults were updated to more closely match the URLs that horizon expects. Change-Id: I7c3ee6b54cc0c9653742c3ce1de60b2851d1fe68
80 lines
3.0 KiB
YAML
80 lines
3.0 KiB
YAML
# *******************************************************************
|
|
# This file was created automatically by the sample environment
|
|
# generator. Developers should use `tox -e genconfig` to update it.
|
|
# Users are recommended to make changes to a copy of the file instead
|
|
# of the original, if any customizations are needed.
|
|
# *******************************************************************
|
|
# title: Enable keystone federation with OpenID Connect
|
|
# description: |
|
|
# This is an example template on how to configure keystone federation for
|
|
# the OpenID Connect protocol. You must modify the parameters to use
|
|
# values appropriate for your identity provider.
|
|
parameter_defaults:
|
|
# A list of methods used for authentication.
|
|
# Type: comma_delimited_list
|
|
KeystoneAuthMethods: password,token,openid
|
|
|
|
# The client ID to use when handshaking with your OpenID Connect provider
|
|
# Type: string
|
|
KeystoneOpenIdcClientId: myclientid
|
|
|
|
# The client secret to use when handshaking with your OpenID Connect provider
|
|
# Type: string
|
|
KeystoneOpenIdcClientSecret: myclientsecret
|
|
|
|
# Passphrase to use when encrypting data for OpenID Connect handshake.
|
|
# Type: string
|
|
KeystoneOpenIdcCryptoPassphrase: openstack
|
|
|
|
# The name associated with the IdP in Keystone.
|
|
# Type: string
|
|
KeystoneOpenIdcIdpName: myidp
|
|
|
|
# The url that points to your OpenID Connect provider metadata
|
|
# Type: string
|
|
KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration
|
|
|
|
# Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
|
|
# Type: string
|
|
KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS
|
|
|
|
# Response type to be expected from the OpenID Connect provider.
|
|
# Type: string
|
|
KeystoneOpenIdcResponseType: id_token
|
|
|
|
# A list of dashboard URLs trusted for single sign-on.
|
|
# Type: comma_delimited_list
|
|
KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/
|
|
|
|
# Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
|
|
# Type: json
|
|
WebSSOChoices: [['OIDC', 'OpenID Connect']]
|
|
|
|
# Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.
|
|
# Type: json
|
|
WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}
|
|
|
|
# The initial authentication choice to select by default
|
|
# Type: string
|
|
WebSSOInitialChoice: OIDC
|
|
|
|
# ******************************************************
|
|
# Static parameters - these are values that must be
|
|
# included in the environment but should not be changed.
|
|
# ******************************************************
|
|
# Enable support for federated authentication.
|
|
# Type: boolean
|
|
KeystoneFederationEnable: True
|
|
|
|
# Enable support for OpenIDC federation.
|
|
# Type: boolean
|
|
KeystoneOpenIdcEnable: True
|
|
|
|
# Enable support for Web Single Sign-On
|
|
# Type: boolean
|
|
WebSSOEnable: True
|
|
|
|
# *********************
|
|
# End static parameters
|
|
# *********************
|