configure Google platform as an IdP for keystone with OpenID¶
We followed the guide Identity, Authentication, and Access management in Openstack
(Chapter 5.6 A Practical Guide to Setting Up SSO with Google)
In this example the Keystone url is http://keystone.cloud.garr.it
Prerequisites: configure Keystone and Dashboard with the basic set of functionalities (admin, demo projects, endpoints etc).
First of all we need to generate the Google credentials that will be set in keystone.
Go to https://console.cloud.google.com -> Use Google APIs
If you don’t have defined any project yet Google asks you to do. We call it GARR-CSD Then the API manager windows opens.
Go to Credentials - Create Credentials -> OAuth Client ID (see screenshot)
Google asks “To create an OAuth client ID, you must first set a product name on the consent screen”. In the next window in Product Name we choose GARR CSD. Next. The window Credentials pops up. Set:
Application Type: Web Application
Name: GARR Cloud
Authorized redirect URIs: https://keystone.cloud.garr.it:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
https://keystone-dmz.cloud.garr.it:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
https://keystone-staging.cloud.garr.it:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect
Then click Create: a window pops up with the Client ID and client secret, which we will put in the Keystone config.
You will then find these keys listed in the main API Manager page, under OAuth 2.0 client IDs.