Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

This is possible. You need to use a mappings file

https://docs.openstack.org/keystone/latest/admin/federation/mapping_combinations.html

A super simple mapping file

[ {
            "local": [
                {
                    "user": {
                        "name": "{0}",
                        "email": "{0}"
                    },
                    "groups": "{1}",
                    "domain": {
                      "id" : "default"
                        }
}
            ],
            "remote": [
                {
                    "type": "OIDC-email"
                },
                {
                    "type": "OIDC-groups"
                }
            ]
        }]

This maps a user name and email to OIDC-EMAIL and then maps any groups passed in the token to match against groups ni openstack, and links that user to that group.