federation domain not configured correct

I am sorry, but I'm kind of confused! More info might be needed.

So from my understanding federated_identities gives you a chance to create any groups/projects/roles you may want in place to map federated users to in your protocol rules.

The section of code you've given 'Ensure external IDP' does not look at data specified in the federated_identities. See https://github.com/openstack/openstack-ansible-os_keystone/blob/ec22a56cea700390c7dd2cf44b4be9f9220dc078/library/keystone_sp#L77.

I am thinking that you might be actually having issues with the domain_id specified here:
keystone_sp:
...
    name: WAYF
    domain_id: default
    protocols:
...

Where are you seeing the randomly generated domain more specifically?
If you are using the CLI can you specify the command please.

Also the OSA release you are using would help as well.

Hi Georgina,

Sorry for not specifying enough details here.

If you dig into https://github.com/openstack/openstack-ansible-os_keystone/blob/f3d96876dfd71c03283a3db58ece76c527347b3e/tasks/keystone_federation_sp_idp_setup.yml#L30
The task interates over keystone_federated_identities
"with_items: "{{ keystone_federated_identities | default([]) }}"
and then use name: "{{ item.domain }}"
This resolves to
    - domain: default
      group: wayf
      project: wayf
      role: _member_
Which i think is intended and is according to the documentation examples in defaults/main.yml

However, in "Ensure external IDP"
https://github.com/openstack/openstack-ansible-os_keystone/blob/f3d96876dfd71c03283a3db58ece76c527347b3e/tasks/keystone_federation_sp_idp_setup.yml#L124
The iteration is done over keystone_sp.trusted_idp_list
"with_items: "{{ keystone_sp.trusted_idp_list | default([]) }}"" and the variable used is the domain_id
idp_domain_id: "{{ item.domain_id | default(omit) }}"

For this to work as intended, mapping all IDP users to the default domain, you need also to declare federated_identities and domain_id:

trusted_idp_list:
    federated_identities:
    - domain: default
      group: wayf
      project: wayf
      role: _member_
    domain_id: default

When domain_id is not declared

Digging into the keystone source: https://github.com/openstack/keystone/blob/a98f006f854be02e5682390012d8bb917f4f3940/keystone/federation/core.py#L71

        if not idp.get('domain_id'):
            idp['domain_id'] = self._create_idp_domain(idp_id)
            auto_created_domain = True
        else:
            self._assert_valid_domain_id(idp['domain_id'])

I will auto create the domain id, if not defined.

Initially, i spend days figuring out where to use Domain name (Default) and where to use Domain id default).
Bu declaring both variables works, but i think the Task "Ensure external IDP" should resolve federated_identities.domain instead of its own variable.
If it's not possible, the domain_id variable should at least be updated in the documentation.

I would love to help, but I have not more time in the project to contribute to dev. However, i would love to help test and debug.

You are taking me down memory lane!

So I raised this bug with keystone awhile back:
https://bugs.launchpad.net/keystone/+bug/1883247
From what I found with playing around there aren't any operational issues with having an IDP with a generated domain. Which is why I imagine we do not have any bug reports around this.

I added the functionality to specify the domain id of the IDP as I felt it was right to have the ability to keep things consistent.
- https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/735654
- https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/735655
As people already have installations where the IDP has a randomly generated domain I wanted to keep things backwards compatible as to not cause any issues, and therefore made setting the domain_id on the IDP optional.

Furthermore not everyone makes use of the federated_identities section. For example in the deployment I maintain the local portion of my mapping looks like:
              - local:
                - user:
                    domain:
                      id: default
                    name: "{0}"
                    email: "{1}"
                  projects:
                    - name: "{0}_project"
                      roles:
                        - name: _member_

The project is autogenerated in this case, and I have no need to assign the user a group. Therefore there is nothing I need federated_identities to create / ensure in advance. Assuming the default domain always exists. Hence I do not believe the domain id for the IDP should come from the federated_identities.

In the keystone_sp of https://docs.openstack.org/openstack-ansible-os_keystone/latest/ there is a reference to domain_id, however I can see your point, this may be easy to miss. I also concur that knowing when to use the Default/default domain name or domain_id did cause me issues when I was deploying as well. Unfortunately this is from having old code that is not standardised. I will try to spend sometime (when I can find it) updating documentation to make things clearer.

Hopefully with the new ansible 2.10 keystone modules some of this code can be simplified. But again finding the time...

Thanks for all your feedback! Please keep us updated :)