Currently we are unable to support Keystone federation in oooq because we lack the ability to install an IdP in a deployment. Initially the ability to enable federation in oooq is mainly directed at CI testing and developer deployments. Now that oooq supports a supplemental node with IPA installed the next logical step is to install an IdP along side of IPA on the supplemental node. Keycloak is the obvious choice because of its widespread upstream adoption, it's support for brokered authentication, multi-protocol support (OIDC & SAML) and because it is the community version of Red Hat's RH-SSO product.
The security DFG (responsible for Keystone, IPA, TLS-everywhere, etc.) has already developed Ansible roles to accomplish this. FWIW Keycloak integrates with the 3 previously mentioned technologies to achieve a more comprehensive authentication system. At this point we're mainly interested in getting the new Ansible roles upstream in Tripleo-Quickstart and Tripleo-Quickstart-Extras. Now that an associated bug has been created for the RFE I will initiate a Gerrit review. The good news is the new ansible role is independent of any other role and only would be utilized if explicitly enabled, for instance via inclusion in a oooq featureset (probably featureset039.yml).
Fix proposed to branch: master /review. opendev. org/671262
Review: https:/