tripleo-heat-templates/environments/enable-federation-openidc.yaml

# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Enable keystone federation with OpenID Connect
# description: |
#   This is an example template on how to configure keystone federation for
#   the OpenID Connect protocol.  You must modify the parameters to use
#   values appropriate for your identity provider.
parameter_defaults:
  # A list of methods used for authentication.
  # Type: comma_delimited_list
  KeystoneAuthMethods: password,token,openid

  # The client ID to use when handshaking with your OpenID Connect provider
  # Type: string
  KeystoneOpenIdcClientId: myclientid

  # The client secret to use when handshaking with your OpenID Connect provider
  # Type: string
  KeystoneOpenIdcClientSecret: myclientsecret

  # Passphrase to use when encrypting data for OpenID Connect handshake.
  # Type: string
  KeystoneOpenIdcCryptoPassphrase: openstack

  # The name associated with the IdP in Keystone.
  # Type: string
  KeystoneOpenIdcIdpName: myidp

  # The url that points to your OpenID Connect provider metadata
  # Type: string
  KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration

  # Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
  # Type: string
  KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS

  # Response type to be expected from the OpenID Connect provider.
  # Type: string
  KeystoneOpenIdcResponseType: id_token

  # A list of dashboard URLs trusted for single sign-on.
  # Type: comma_delimited_list
  KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/

  # Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
  # Type: json
  WebSSOChoices: [['OIDC', 'OpenID Connect']]

  # Specifies a mapping from SSO authentication choice to identity provider and protocol.  The identity provider and protocol names must match the resources defined in keystone.
  # Type: json
  WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}

  # The initial authentication choice to select by default
  # Type: string
  WebSSOInitialChoice: OIDC

  # ******************************************************
  # Static parameters - these are values that must be
  # included in the environment but should not be changed.
  # ******************************************************
  # Enable support for federated authentication.
  # Type: boolean
  KeystoneFederationEnable: True

  # Enable support for OpenIDC federation.
  # Type: boolean
  KeystoneOpenIdcEnable: True

  # Enable support for Web Single Sign-On
  # Type: boolean
  WebSSOEnable: True

  # *********************
  # End static parameters
  # *********************
Enable support for openidc federation in keystone This exposes parameters to configure OpenIDC federation in Keystone. Change-Id: I3e06ca5fde65f3e2c3c084f96209d1b38d5f8b86 Depends-on: Id2ef3558a359883bf3182f50d6a082b1789a900a 2018-06-12 14:35:00 -04:00			`# *******************************************************************`
			`# This file was created automatically by the sample environment`
			# generator. Developers should use `tox -e genconfig` to update it.
			`# Users are recommended to make changes to a copy of the file instead`
			`# of the original, if any customizations are needed.`
			`# *******************************************************************`
			`# title: Enable keystone federation with OpenID Connect`
			`# description: \|`
			`# This is an example template on how to configure keystone federation for`
			`# the OpenID Connect protocol. You must modify the parameters to use`
			`# values appropriate for your identity provider.`
			`parameter_defaults:`
			`# A list of methods used for authentication.`
			`# Type: comma_delimited_list`
			`KeystoneAuthMethods: password,token,openid`

			`# The client ID to use when handshaking with your OpenID Connect provider`
			`# Type: string`
			`KeystoneOpenIdcClientId: myclientid`

			`# The client secret to use when handshaking with your OpenID Connect provider`
			`# Type: string`
			`KeystoneOpenIdcClientSecret: myclientsecret`

			`# Passphrase to use when encrypting data for OpenID Connect handshake.`
			`# Type: string`
			`KeystoneOpenIdcCryptoPassphrase: openstack`

			`# The name associated with the IdP in Keystone.`
			`# Type: string`
			`KeystoneOpenIdcIdpName: myidp`

			`# The url that points to your OpenID Connect provider metadata`
			`# Type: string`
Add horizon WebSSO support for OpenID Connect This adds support for configuring horizon for WebSSO when keystone federation with OpenID Connect is enabled. This patch just exposes some new parameters to use puppet-horizon for configuration. The sample environment file for OpenID Connect federation is also updated to use the new parameters. Some of the sample defaults were updated to more closely match the URLs that horizon expects. Change-Id: I7c3ee6b54cc0c9653742c3ce1de60b2851d1fe68 2018-12-21 19:15:25 -08:00			`KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration`
Enable support for openidc federation in keystone This exposes parameters to configure OpenIDC federation in Keystone. Change-Id: I3e06ca5fde65f3e2c3c084f96209d1b38d5f8b86 Depends-on: Id2ef3558a359883bf3182f50d6a082b1789a900a 2018-06-12 14:35:00 -04:00
			`# Attribute to be used to obtain the entity ID of the Identity Provider from the environment.`
			`# Type: string`
			`KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS`

			`# Response type to be expected from the OpenID Connect provider.`
			`# Type: string`
			`KeystoneOpenIdcResponseType: id_token`

			`# A list of dashboard URLs trusted for single sign-on.`
			`# Type: comma_delimited_list`
Add horizon WebSSO support for OpenID Connect This adds support for configuring horizon for WebSSO when keystone federation with OpenID Connect is enabled. This patch just exposes some new parameters to use puppet-horizon for configuration. The sample environment file for OpenID Connect federation is also updated to use the new parameters. Some of the sample defaults were updated to more closely match the URLs that horizon expects. Change-Id: I7c3ee6b54cc0c9653742c3ce1de60b2851d1fe68 2018-12-21 19:15:25 -08:00			`KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/`

			`# Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.`
			`# Type: json`
			`WebSSOChoices: [['OIDC', 'OpenID Connect']]`

			`# Specifies a mapping from SSO authentication choice to identity provider and protocol. The identity provider and protocol names must match the resources defined in keystone.`
			`# Type: json`
			`WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}`

			`# The initial authentication choice to select by default`
			`# Type: string`
			`WebSSOInitialChoice: OIDC`
Enable support for openidc federation in keystone This exposes parameters to configure OpenIDC federation in Keystone. Change-Id: I3e06ca5fde65f3e2c3c084f96209d1b38d5f8b86 Depends-on: Id2ef3558a359883bf3182f50d6a082b1789a900a 2018-06-12 14:35:00 -04:00
			`# ******************************************************`
			`# Static parameters - these are values that must be`
			`# included in the environment but should not be changed.`
			`# ******************************************************`
			`# Enable support for federated authentication.`
			`# Type: boolean`
			`KeystoneFederationEnable: True`

			`# Enable support for OpenIDC federation.`
			`# Type: boolean`
			`KeystoneOpenIdcEnable: True`

Add horizon WebSSO support for OpenID Connect This adds support for configuring horizon for WebSSO when keystone federation with OpenID Connect is enabled. This patch just exposes some new parameters to use puppet-horizon for configuration. The sample environment file for OpenID Connect federation is also updated to use the new parameters. Some of the sample defaults were updated to more closely match the URLs that horizon expects. Change-Id: I7c3ee6b54cc0c9653742c3ce1de60b2851d1fe68 2018-12-21 19:15:25 -08:00			`# Enable support for Web Single Sign-On`
			`# Type: boolean`
			`WebSSOEnable: True`

Enable support for openidc federation in keystone This exposes parameters to configure OpenIDC federation in Keystone. Change-Id: I3e06ca5fde65f3e2c3c084f96209d1b38d5f8b86 Depends-on: Id2ef3558a359883bf3182f50d6a082b1789a900a 2018-06-12 14:35:00 -04:00			`# *********************`
			`# End static parameters`
			`# *********************`