To enable the federation extension:
Add the federation extension driver to the [federation] section in keystone.conf. For example:
[federation]
driver = keystone.contrib.federation.backends.sql.Federation
Add the saml2 and/or oidc authentication methods to the [auth] section in keystone.conf:
[auth]
methods = external,password,token,saml2,oidc
saml2 = keystone.auth.plugins.mapped.Mapped
oidc = keystone.auth.plugins.mapped.Mapped
Note
The external method should be dropped to avoid any interference with some Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, even as an empty value.
Add the federation_extension middleware to the api_v3 pipeline in keystone-paste.ini. This must be added after json_body and before the last entry in the pipeline. For example:
[pipeline:api_v3]
pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension service_v3
Create the federation extension tables if using the provided SQL backend. For example:
./bin/keystone-manage db_sync --extension federation
As of the Juno release, multiple Keystone deployments can now be federated. To do so, the pysaml2 library is required. Since OS-FEDERATION is an extension, pysaml2 is not installed by default, it must be installed manually. For example:
pip install --upgrade $(grep pysaml2 test-requirements.txt)
Also, the xmlsec1 command line tool is needed to sign the SAML assertions generated by the Keystone Identity Provider:
$ apt-get install xmlsec1