Modifying and deleting identity providers
For an existing identity provider, you can change the configuration and authorization flow type. You also can enable or disable an identity provider, thus allowing or prohibiting login for its federated users in the management panel. After deleting an identity provider, all of its federated users are removed along with it.
Prerequisites
- Identity providers are added to the admin panel, as described in Adding identity providers.
To edit an identity provider
Admin panel
- On the Projects and users screen, click the required domain.
- Switch to the Settings > Identity provider screen, click the ellipsis icon next to the identity provider, and then click Edit.
- Make the required changes, and then click Save.
After modifying the identity provider parameters, all of its federated users will be logged out of the management panel.
Command-line interface
Use the following command:
vinfra domain idp set [--issuer <issuer>] [--scope <issuer>] [--metadata-url <metadata-url>] [--client-id <client-id>] [--client-secret <client-secret>] [--mapping <path>] [--name <name>] --domain <domain> <idp>
--issuer <issuer>
- Identity provider issuer
--scope <scope>
- Scope that define what user identity data will be shared by the identity provider during authentication
--metadata-url <metadata-url>
- Metadata URL of the identity provider's discovery endpoint
--client-id <client-id>
- Client ID to access the identity provider
--client-secret <client-secret>
- Client secret to access the identity provider
--mapping <path>
-
Path to the mapping configuration file.
A mapping file may look as follows:
# cat mapping.json [ { "local": [ { "user": { "name": "{0}" }, "group": { "name":"users" } } ], "remote": [{"type": "email"}] } ]
In this example, all users that have the attribute
email
will be mapped to the groupusers
within thedefault
domain. For details on creating a mapping file, refer to the OpenStack documentation. --name <name>
- A new name for the identity provider
--domain <domain>
- Domain name or ID
<idp>
- Identity provider name or ID
For example, to change the mapping rules of the identity provider My ADFS
within the mydomain
domain by using the mapping file new_mapping.json, run:
# vinfra domain idp set "My ADFS" --domain mydomain --mapping new_mapping.json
After modifying the identity provider parameters, all of its federated users will be logged out of the management panel.
To change the authorization flow type
Use the following command:
vinfra domain idp set --response-type <response-type> --domain <domain> <idp>
--response-type <response-type>
-
Response type to be used in the authorization flow:
code
: use the Authorization Code Flowid_token
: use the Implicit Flow
--domain <domain>
- Domain name or ID
<idp>
- Identity provider name or ID
For example, to change the authorization flow type of the identity provider My ADFS
within the mydomain
domain to the Authorization Code Flow, run:
# vinfra domain idp set "My ADFS" --domain mydomain --response-type code
To change the authorization flow back to Implicit Flow, run:
# vinfra domain idp set "My ADFS" --domain mydomain --response-type id_token
To enable or disable an identity provider
Admin panel
- On the Projects and users screen, click the required domain.
- Switch to the Settings > Identity provider screen, click the ellipsis icon next to the identity provider, and then click Enable or Disable.
Command-line interface
Use the following command:
vinfra domain idp set [--enable] [--disable] --domain <domain> <idp>
--enable
- Enable identity provider
--disable
- Disable identity provider
--domain <domain>
- Domain name or ID
<idp>
- Identity provider name or ID
For example, to disable the identity provider My ADFS
within the mydomain
, run:
# vinfra domain idp set "My ADFS" --domain mydomain --disable
To delete an identity provider
Admin panel
- On the Projects and users screen, click the required domain.
- Switch to the Settings > Identity provider screen, click the ellipsis icon next to the identity provider, and then click Delete.
- Click Delete in the confirmation window.
Command-line interface
Use the following command:
vinfra domain idp delete --domain <domain> <idp>
--domain <domain>
- Domain name or ID
<idp>
- Identity provider name or ID
For example, to delete the identity provider My ADFS
within the mydomain
, run:
# vinfra domain idp delete "My ADFS" --domain mydomain