Currently in Queens, puppet-tripleo does not allow for configuring the Keystone API to use cookie-based session persistence. This prevents an operator from deploying an overcloud with SAML integration purely through TripleO as this piece must be configured manually after deployment and reconfigured after any update to the overcloud stack.
https://review.openstack.org/#/c/577309 in master branch resolves this issue and allows for semi-automated deployment of SAML integration when used with a customized Keystone container image and an environment file.
The tripleo-saml blueprint that is outstanding calls for both this patch and heat template work for user friendliness, but the puppet change by itself could be backported to stable/queens to allow for some path forward for an operator wanting to use SAML federation without post-deployment configuration.
Change abandoned by Emilien Macchi (<email address hidden>) on branch: stable/queens /review. openstack. org/579660
Review: https:/
Reason: The gate is suffering of timeouts, we need to clear it. Please do not restore or recheck this patch, I'll take care of it when gate is stable again.