:_mod-docs-content-type: PROCEDURE [id="configuring-federation-for-keystone_{context}"] = Configuring OIDC federation for the Identity service [role="_abstract"] To allow the {identity_service_first_ref} to trust an external OpenID Connect (OIDC) identity provider, apply the federation configuration and verify that federated users can authenticate. .Prerequisites * Keycloak is reachable from your {rhos_long} cluster. * You have access to the Keycloak `keycloak-ca.crt` file that corresponds to its certificate chain. .Procedure . Create the `keycloakca` secret so that the {identity_service} pods trust the Keycloak certificate authority (CA): + ---- $ oc create secret generic keycloakca \ --from-file=KeyCloakCA= -n openstack ---- + where: ``:: Specifies the path to the CA file that you want to use. . Create the `keystone-httpd-override` secret that provides the Apache HTTPD overrides that are required for OIDC: + [source,yaml] ---- apiVersion: v1 kind: Secret metadata: name: keystone-httpd-override namespace: openstack type: Opaque stringData: federation.conf: | OIDCClaimPrefix "OIDC-" OIDCResponseType "code" OIDCScope "openid profile email" OIDCClaimDelimiter "," OIDCPassUserInfoAs "payload" OIDCPassClaimsAs "both" OIDCProviderMetadataURL "https://keycloak-openstack.apps-crc.testing/auth/realms/openstack/.well-known/openid-configuration" OIDCClientID "rhoso" OIDCClientSecret "" OIDCCryptoPassphrase "" OIDCOAuthClientID "rhoso" OIDCOAuthClientSecret "" OIDCOAuthIntrospectionEndpoint "https://keycloak-openstack.apps-crc.testing/auth/realms/openstack/protocol/openid-connect/token/introspect" OIDCRedirectURI "https://keystone-public-openstack.apps-crc.testing/v3/auth/OS-FEDERATION/identity_providers/kcIDP/protocols/openid/websso/" LogLevel debug AuthType "openid-connect" Require valid-user AuthType oauth20 Require valid-user AuthType "openid-connect" Require valid-user ---- + where: ``:: Specifies the client ID to use for the OIDC provider handshake. You must get the client ID from your SSO administrator. ``:: Specifies the client secret to use for the OIDC provider handshake. You must get the client secret from your SSO administrator after providing your redirect URLs. `` and ``:: Specifies the chosen string that creates your unique redirect URL. . Patch the `OpenStackControlPlane` custom resource (CR) to enable OIDC federation for Keystone. Ensure that you merge the patch with any existing custom configuration for the {identity_service}: + [source,yaml] ---- spec: tls: caBundleSecretName: keycloakca keystone: template: customServiceConfig: | [token] expiration = 360000 [federation] trusted_dashboard=https://horizon-openstack.apps-crc.testing/dashboard/auth/websso/ sso_callback_template=/etc/keystone/sso_callback_template.html [openid] remote_id_attribute=HTTP_OIDC_ISS [auth] methods = password,token,oauth1,mapped,application_credential,openid [trusted_ip] trusted_forwarded_for_header=True httpdCustomization: customConfigSecret: keystone-httpd-override ---- + .Verification . Request a federated token before adoption: + ---- $ openstack token issue ---- + This command should return an access token that is issued for the federated user. . Verify the token against the newly adopted {identity_service} instance: + ---- $ oc exec -t openstackclient -- env -u OS_CLOUD - \ OS_AUTH_URL=https://keystone-public-openstack.apps-crc.testing/v3 \ OS_AUTH_TYPE=v3oidcaccesstoken \ OS_ACCESS_TOKEN=$(openstack token issue -f value -c id) \ openstack project show ---- + where: ``:: Replace with the ID of your OpenStack project. + A successful response confirms that the federated OIDC configuration is active on the podified Keystone deployment.