# *******************************************************************
# This file was created automatically by the sample environment
# generator. Developers should use `tox -e genconfig` to update it.
# Users are recommended to make changes to a copy of the file instead
# of the original, if any customizations are needed.
# *******************************************************************
# title: Enable keystone federation with OpenID Connect
# description: |
#   This is an example template on how to configure keystone federation for
#   the OpenID Connect protocol.  You must modify the parameters to use
#   values appropriate for your identity provider.
parameter_defaults:
  # A list of methods used for authentication.
  # Type: comma_delimited_list
  KeystoneAuthMethods: password,token,openid

  # The client ID to use when handshaking with your OpenID Connect provider
  # Type: string
  KeystoneOpenIdcClientId: myclientid

  # The client secret to use when handshaking with your OpenID Connect provider
  # Type: string
  KeystoneOpenIdcClientSecret: myclientsecret

  # Passphrase to use when encrypting data for OpenID Connect handshake.
  # Type: string
  KeystoneOpenIdcCryptoPassphrase: openstack

  # The name associated with the IdP in Keystone.
  # Type: string
  KeystoneOpenIdcIdpName: myidp

  # The url that points to your OpenID Connect provider metadata
  # Type: string
  KeystoneOpenIdcProviderMetadataUrl: https://myidp.example.test/auth/realms/openstack/.well-known/openid-configuration

  # Attribute to be used to obtain the entity ID of the Identity Provider from the environment.
  # Type: string
  KeystoneOpenIdcRemoteIdAttribute: HTTP_OIDC_ISS

  # Response type to be expected from the OpenID Connect provider.
  # Type: string
  KeystoneOpenIdcResponseType: id_token

  # A list of dashboard URLs trusted for single sign-on.
  # Type: comma_delimited_list
  KeystoneTrustedDashboards: https://dashboard.example.test/dashboard/auth/websso/

  # Specifies the list of SSO authentication choices to present. Each item is a list of an SSO choice identifier and a display message.
  # Type: json
  WebSSOChoices: [['OIDC', 'OpenID Connect']]

  # Specifies a mapping from SSO authentication choice to identity provider and protocol.  The identity provider and protocol names must match the resources defined in keystone.
  # Type: json
  WebSSOIDPMapping: {'OIDC': ['myidp', 'openid']}

  # The initial authentication choice to select by default
  # Type: string
  WebSSOInitialChoice: OIDC

  # ******************************************************
  # Static parameters - these are values that must be
  # included in the environment but should not be changed.
  # ******************************************************
  # Enable support for federated authentication.
  # Type: boolean
  KeystoneFederationEnable: True

  # Enable support for OpenIDC federation.
  # Type: boolean
  KeystoneOpenIdcEnable: True

  # Enable support for Web Single Sign-On
  # Type: boolean
  WebSSOEnable: True

  # *********************
  # End static parameters
  # *********************