Keystone Saml Mellon

authn-requests-signed | boolean

Default: True

Indicates whether the <samlp:AuthnRequest> messages sent by the service provider (mellon) will be signed.

debug | boolean

Enable debug logging

idp-discovery-service-url | string

IDP discovery service URL. If set to "" (default) no discovery service will be used. If used, the resource "idp-metadata" must be an XML file containing descriptors for multiple IDPs

idp-metadata-url | string

An optional URL to retrieve IDP metadata from. If set, takes priority over the "idp-metadata" resource. Auto-updates of metadata occur during any hook execution, including update-status.

idp-name | string

Default: myidp

Identity provider name to use for URL generation. Must match the one that will be configured via OS-FEDERATION API.

nameid-formats | string

Default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,urn:oasis:names:tc:SAML:2.0:nameid-format:transient,urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,urn:mace:shibboleth:1.0:nameIdentifier

NameIDFormat entries to be used in Service Provider metadata file and in SAML requests (comma-separated). Different NameID formats could be used like transient, persistent, X509SubjectName, emailAddress, unspecified and so on.

protocol-name | string

Default: mapped

Protocol name to use for URL and generation. Must match the one that will be configured via OS-FEDERATION API.

saml-encryption | boolean

(optional) Specifies whether SAML assertion encryption should be used. In many cases this option is not needed as TLS is used to encrypt data at the transport level. This option results in Service Provider metadata rendered with the same KeyInfo used for both signing and encryption. In practice, this means that the private key specified in sp-private-key will be used for both signing SAML messages to an idP and decryption of messages sent by idP. idP has to receive the SP metadata file with a public key (or a cert) present with use="encryption" specified.

ssl_ca | string

TLS CA to use to communicate with other components in a deployment. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.

ssl_cert | string

TLS certificate to install and use for any listening services. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.

ssl_key | string

TLS key to use with certificate specified as ``ssl_cert``. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.

subject-confirmation-data-address-check | boolean

Default: True

This option is used to control the checking of client IP address against the address returned by the IdP in Address attribute of the SubjectConfirmationData node. Can be useful if your SP is behind a reverse proxy or any kind of strange network topology making IP address of client different for the IdP and the SP. Default is on. This can be used for testing with something like testshib if you are behind a NAT.

use-internal-endpoints | boolean

Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.

use-syslog | boolean

Setting this to True will allow supporting services to log to syslog.

user-facing-name | string

Default: myidp via mapped

A user-facing name to be used for the identity provider and protocol combination. Used in the OpenStack dashboard.

verbose | boolean

Enable verbose logging

want-assertions-signed | boolean

Default: True

Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed.