openstack/sunbeam-charms
Code Issues Proposed changes
Files
204fb83a2783afe29e5795915d6edea7b34e6d18
sunbeam-charms/charms/keystone-saml-k8s/charmcraft.yaml
Gabriel Adrian Samfira 204fb83a27 Add SAML2 support 
This change adds SAML2 support through the use of a new keystone SAML
integrator charm (keystone-saml-k8s).

Needed changes have also been made in the keystone charm to make use of
the new relation.

A new option has also been added to keystone-k8s through which a secret
can be specified which should contain the x509 certificate an the
corresponding key from which it was derived, used to generate the keystone
SP metadata file.

Change-Id: Id9b6ab2a51891ac378a2cb406dbe3a456bc24fc4
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
2025-08-20 09:28:30 +03:00

74 lines
2.1 KiB
YAML
Raw Blame History

type: charm
name: keystone-saml-k8s
title: Keystone SAML
summary: Integrator charm to enable saml2 providers in Keystone
description: |
Integrator charm to enable saml2 providers in Keystone.
platforms:
ubuntu@24.04:amd64:
parts:
charm:
build-packages:
- git
- libffi-dev
- libssl-dev
- pkg-config
charm-binary-python-packages:
- cryptography
- requests
charm-requirements: [requirements.txt]
config:
options:
name:
description: |
The name of the IDP.
This name will be used as a provider ID in keystone to identify the provider.
type: string
default: !!null ""
label:
description: |
The label of the IDP.
The label will be used as a display name for this IDP. Typically, you would
set this to something like "Log in with Okta". This label will appear in Horizon,
in the provider drop down.
type: string
default: !!null ""
metadata-url:
description: |
The SAML2 metadata URL.
The SAML2 metadata URL contains the URLs and signing keys we need to configure
the IDP. There are some well known patters for SAML2 urls when it comes to public
providers:
* Okta: https://{yourOktaOrg}/app/{appId}/sso/saml/metadata
* Google: https://accounts.google.com/o/saml2/idp?idpid={idp-id}
* Entra ID: https://login.microsoftonline.com/{tenant}/federationmetadata/2007-06/federationmetadata.xml?appid={app_id}
Other providers may have different URLs, but as long as they are reachable and
include a valid saml2 metadata response, they should work.
default: !!null ""
type: string
ca-chain:
description: |
The CA chain used to validate the IDP.
If the IDP uses a certificate issued by a custom CA, set this option. The value must
be a base64 encoded version of the CA chain.
type: string
default: !!null ""
provides:
keystone-saml:
interface: keystone_saml
limit: 1
actions:
get-keystone-sp-urls:
description: Get the keystone service provider URLs for this relation
View Git Blame Copy Permalink