Modifying and deleting identity providers

You can edit, enable or disable, and delete existing identity providers. Enabling and disabling identity providers allows or prohibits login for its federated users in the management panel.

Prerequisites

Identity providers are added to the admin panel, as described in Adding identity providers.

To edit an identity provider

Admin panel

On the Projects and users screen, click the required domain.
Switch to the Settings > Identity provider screen, click the ellipsis icon next to the identity provider, and then click Edit.
Make the required changes, and then click Save.

After modifying the identity provider parameters, all of its federated users will be logged out of the management panel.

Command-line interface

Use the following command:

vinfra domain idp set [--issuer <issuer>] [--scope <issuer>] [--metadata-url <metadata-url>]
                      [--client-id <client-id>] [--client-secret <client-secret>]
                      [--mapping <path>] [--name <name>] --domain <domain> <idp>

--issuer <issuer>

Identity provider issuer

--scope <scope>

Scope that define what user identity data will be shared by the identity provider during authentication

--metadata-url <metadata-url>

Metadata URL of the identity provider's discovery endpoint

--client-id <client-id>

Client ID to access the identity provider

--client-secret <client-secret>

Client secret to access the identity provider

--mapping <path>

Path to the mapping configuration file.

A mapping file may look as follows:

# cat mapping.json
[
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "name":"users"
                }
            }
        ],
        "remote": [{"type": "email"}]
    }
]

In this example, all users that have the attribute email will be mapped to the group users within the default domain. For details on creating a mapping file, refer to the OpenStack documentation.

--name <name>

A new name for the identity provider

--domain <domain>

Domain name or ID

<idp>

Identity provider name or ID

For example, to change the mapping rules of the identity provider My ADFS within the mydomain domain by using the mapping file new_mapping.json, run:

# vinfra domain idp set "My ADFS" --domain mydomain --mapping new_mapping.json

After modifying the identity provider parameters, all of its federated users will be logged out of the management panel.

To enable or disable an identity provider

Admin panel

On the Projects and users screen, click the required domain.
Switch to the Settings > Identity provider screen, click the ellipsis icon next to the identity provider, and then click Enable or Disable.

Command-line interface

Use the following command:

vinfra domain idp set [--enable] [--disable] --domain <domain> <idp>

--enable: Enable identity provider
--disable: Disable identity provider
--domain <domain>: Domain name or ID
<idp>: Identity provider name or ID

For example, to disable the identity provider My ADFS within the mydomain, run:

# vinfra domain idp set "My ADFS" --domain mydomain --disable

To delete an identity provider

Admin panel

On the Projects and users screen, click the required domain.
Switch to the Settings > Identity provider screen, click the ellipsis icon next to the identity provider, and then click Delete.
Click Delete in the confirmation window.

After deleting the identity providers, all of its federated users will be removed along with it.

Command-line interface

Use the following command:

vinfra domain idp delete --domain <domain> <idp>

--domain <domain>: Domain name or ID
<idp>: Identity provider name or ID

For example, to delete the identity provider My ADFS within the mydomain, run:

# vinfra domain idp delete "My ADFS" --domain mydomain

After deleting the identity providers, all of its federated users will be removed along with it.