-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added documentation about example setup (#202)
Signed-off-by: Juan Pedro Torres <[email protected]> Co-authored-by: Max Wolfs <[email protected]>
- Loading branch information
Showing
2 changed files
with
22 additions
and
1 deletion.
There are no files selected for viewing
21 changes: 21 additions & 0 deletions
21
docs/05-iam/SCS-example-setup-configuration-description.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Example setup configuration in SCS deployment explained | ||
|
|
||
| The following document explains the idea behind the example configuration is done. | ||
| The playbook creates a proxy realm used to connect with `Keystone`, a customer realm, the clients needed to connect the realms, the identity brokering for the customer realm, a login flow | ||
| to be able to use the `home-IdP-discovery` plugin to redirect to the correct customer realm and an example user. | ||
| SCS operators can find the playbook that creates the setup [here](https://github.com/osism/ansible-playbooks/blob/main/playbooks/infrastructure/keycloak-oidc-client-config.yml). | ||
|
|
||
| 1. In the first place a proxy realm called `osism` on the example deployment. That realm will | ||
| become the realm that will be conected to `Keystone` | ||
|
|
||
| 2. A customer realm called `CustomerA` is created. On that realm a `OIDC` client is created to hook | ||
| up the realm to the proxy realm. This is done via `Identity Brokering` in the proxy realm. | ||
|
|
||
| 3. An `Identity provider` is configured in the `osism` realm, this is configured to be connected to | ||
| the `CustomerA` realm. For that, a set of mappers are created, the default ones are a `hardcoded-attribute` | ||
| that sets the domain where the user came from, and an `attribute-importer` mapper for the `openstack-default-project` that comes | ||
| in the `OIDC` claim from the customer realm. | ||
|
|
||
| 4. A new login flow has been created in the `osism` realm, this login flow is needed to use the `home-IdP-discovery` plugin. | ||
|
|
||
| 5. Creation of an example user called `Alice`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters