If you want to set up Keystone to use an external Identity Provider, you'll need to set up a few more parts.
Note
To set up Keystone to connect to another Identity Provider, you need to have already configured OpenStack Keystone to use Apache HTTPd.
The first thing to do is install Shibboleth as follows:
yum install shibboleth
To make Shibboleth work properly, we need to change /etc/httpd/conf.d/wsgi-keystone.conf
by adding the following lines:
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1 <Location /Shibboleth.sso> SetHandler shib </Location> <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth> ShibRequestSetting requireSession 1 AuthType shibboleth ShibRequireAll On ShibRequireSession On ShibExportAssertion Off Require valid-user </LocationMatch>
The first line adds a new Alias for the keystone...