Yan0S Keystone Saml Mellon

Learn about configurations >

• authn-requests-signed | boolean

  Default: True

  Indicates whether the <samlp:AuthnRequest> messages sent by the service provider (mellon) will be signed.

• debug | boolean

  Enable debug logging

• idp-discovery-service-url | string

  IDP discovery service URL

• idp-metadata-auto-update | string

  If set to anything other than "" then a URL is expected in which the IDP XML metadata are being served. Also, if set then the "idp-metadata" resource will be ignored. Auto update will occur on every "update-status" hook.

• idp-name | string

  Default: myidp

  Identity provider name to use for URL generation. Must match the one that will be configured via OS-FEDERATION API.

• nameid-formats | string

  Default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified,urn:oasis:names:tc:SAML:2.0:nameid-format:transient,urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress,urn:oasis:names:tc:SAML:2.0:nameid-format:persistent,urn:mace:shibboleth:1.0:nameIdentifier

  NameIDFormat entries to be used in Service Provider metadata file and in SAML requests (comma-separated). Different NameID formats could be used like transient, persistent, X509SubjectName, emailAddress, unspecified and so on.

• protocol-name | string

  Default: mapped

  Protocol name to use for URL and generation. Must match the one that will be configured via OS-FEDERATION API.

• saml-encryption | boolean

  (optional) Specifies whether SAML assertion encryption should be used. In many cases this option is not needed as TLS is used to encrypt data at the transport level. This option results in Service Provider metadata rendered with the same KeyInfo used for both signing and encryption. In practice, this means that the private key specified in sp-private-key will be used for both signing SAML messages to an idP and decryption of messages sent by idP. idP has to receive the SP metadata file with a public key (or a cert) present with use="encryption" specified.

• ssl_ca | string

  SSL CA to use to communicate with other OpenStack cloud components.

• ssl_cert | string

  TLS certificate to install and use for any listening services. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.

• ssl_key | string

  TLS key to use with certificate specified as ``ssl_cert``. . __NOTE__: This configuration option will take precedence over any certificates received over the ``certificates`` relation.

• subject-confirmation-data-address-check | boolean

  Default: True

  This option is used to control the checking of client IP address against the address returned by the IdP in Address attribute of the SubjectConfirmationData node. Can be useful if your SP is behind a reverse proxy or any kind of strange network topology making IP address of client different for the IdP and the SP. Default is on. This can be used for testing with something like testshib if you are behind a NAT.

• use-internal-endpoints | boolean

  Openstack mostly defaults to using public endpoints for internal communication between services. If set to True this option will configure services to use internal endpoints where possible.

• use-syslog | boolean

  Setting this to True will allow supporting services to log to syslog.

• user-facing-name | string

  Default: myidp via mapped

  A user-facing name to be used for the identity provider and protocol combination. Used in the OpenStack dashboard.

• verbose | boolean

  Enable verbose logging

• want-assertions-signed | boolean

  Default: True

  Indicates a requirement for the <saml:Assertion> elements received by this service provider to be signed.