Keystone Saml Mellon

Learn about configurations >

• allow-cross-site-cookies | boolean

  Relaxes cross-site cookie security requirements to improve compatibility with IDP providers. However, enabling this options requires that the connection to the IDP provider is HTTPS-Secure to avoid cookie rejection by some modern browsers.

• authn-requests-signed | boolean

  Default: True

  Indicates whether the samlp:AuthnRequest messages sent by the service provider (mellon) will be signed.

• debug | boolean

  Enable debug logging

• idp-discovery-service-url | string

  IDP discovery service URL. If set to "" (default) no discovery service will be used. If used, the resource "idp-metadata" must be an XML file containing descriptors for multiple IDPs

• idp-metadata-url | string

  An optional URL to retrieve IDP metadata from. If set, takes priority over the "idp-metadata" resource. Auto-updates of metadata occur during any hook execution, including update-status.

• idp-name | string

  Default: myidp

  Identity provider name to use for URL generation. Must match the one that will be configured via OS-FEDERATION API.

• nameid-formats | string

  Default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,urn:oasis:names:tc:SAML:2.0:nameid-format:transient,urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,urn:mace:shibboleth:1.0:nameIdentifier

  NameIDFormat entries to be used in Service Provider metadata file and in SAML requests (comma-separated). Different NameID formats could be used like transient, persistent, X509SubjectName, emailAddress, unspecified and so on.

• protocol-name | string

  Default: mapped

  Protocol name to use for URL and generation. Must match the one that will be configured via OS-FEDERATION API.

• saml-encryption | boolean

  (optional) Specifies whether SAML assertion encryption should be used. In many cases this option is not needed as TLS is used to encrypt data at the transport level. This option results in Service Provider metadata rendered with the same KeyInfo used for both signing and encryption. In practice, this means that the private key specified in sp-private-key will be used for both signing SAML messages to an idP and decryption of messages sent by idP. idP has to receive the SP metadata file with a public key (or a cert) present with use="encryption" specified.

• ssl_ca | string

  TLS CA to use to communicate with other components in a deployment. . NOTE: This configuration option will take precedence over any certificates received over the certificates relation.

• ssl_cert | string

  TLS certificate to install and use for any listening services. . NOTE: This configuration option will take precedence over any certificates received over the certificates relation.

• ssl_key | string

  TLS key to use with certificate specified as ssl_cert. . NOTE: This configuration option will take precedence over any certificates received over the certificates relation.

• subject-confirmation-data-address-check | boolean

  Default: True

  This option is used to control the checking of client IP address against the address returned by the IdP in Address attribute of the SubjectConfirmationData node. Can be useful if your SP is behind a reverse proxy or any kind of strange network topology making IP address of client different for the IdP and the SP. Default is on. This can be used for testing with something like testshib if you are behind a NAT.

• use-internal-endpoints | boolean

  Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.

• use-syslog | boolean

  Setting this to True will allow supporting services to log to syslog.

• user-facing-name | string

  Default: myidp via mapped

  A user-facing name to be used for the identity provider and protocol combination. Used in the OpenStack dashboard.

• verbose | boolean

  Enable verbose logging

• want-assertions-signed | boolean

  Default: True

  Indicates a requirement for the saml:Assertion elements received by this service provider to be signed.