Modifying and deleting identity providers

For an existing identity provider, you can change the configuration and authorization flow type. You also can enable or disable an identity provider, thus allowing or prohibiting login for its federated users in the management panel. After deleting an identity provider, all of its federated users are removed along with it.

Prerequisites

Identity providers are added to the admin panel, as described in Adding identity providers.

To edit an identity provider

Admin panel

On the Projects and users screen, click the required domain.
Switch to the Settings > Identity provider screen, click the ellipsis icon next to the identity provider, and then click Edit.
Make the required changes, and then click Save.

After modifying the identity provider parameters, all of its federated users will be logged out of the management panel.

Command-line interface

Use the following command:

vinfra domain idp set [--issuer <issuer>] [--scope <issuer>] [--metadata-url <metadata-url>]
                      [--client-id <client-id>] [--client-secret <client-secret>]
                      [--mapping <path>] [--name <name>] --domain <domain> <idp>

--issuer <issuer>

Identity provider issuer

--scope <scope>

Scope that define what user identity data will be shared by the identity provider during authentication

--metadata-url <metadata-url>

Metadata URL of the identity provider's discovery endpoint

--client-id <client-id>

Client ID to access the identity provider

--client-secret <client-secret>

Client secret to access the identity provider

--mapping <path>

Path to the mapping configuration file.

A mapping file may look as follows:

# cat mapping.json
[
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "name":"users"
                }
            }
        ],
        "remote": [{"type": "email"}]
    }
]

In this example, all users that have the attribute email will be mapped to the group users within the default domain. For details on creating a mapping file, refer to the OpenStack documentation.

--name <name>

A new name for the identity provider

--domain <domain>

Domain name or ID

<idp>

Identity provider name or ID

For example, to change the mapping rules of the identity provider My ADFS within the mydomain domain by using the mapping file new_mapping.json, run:

# vinfra domain idp set "My ADFS" --domain mydomain --mapping new_mapping.json

After modifying the identity provider parameters, all of its federated users will be logged out of the management panel.

To change the authorization flow type

Use the following command:

vinfra domain idp set --response-type <response-type> --domain <domain> <idp>

--response-type <response-type>

Response type to be used in the authorization flow:

code: use the Authorization Code Flow
id_token: use the Implicit Flow

--domain <domain>

Domain name or ID

<idp>

Identity provider name or ID

For example, to change the authorization flow type of the identity provider My ADFS within the mydomain domain to the Authorization Code Flow, run:

# vinfra domain idp set "My ADFS" --domain mydomain --response-type code

To change the authorization flow back to Implicit Flow, run:

# vinfra domain idp set "My ADFS" --domain mydomain --response-type id_token

To enable or disable an identity provider

Admin panel

On the Projects and users screen, click the required domain.
Switch to the Settings > Identity provider screen, click the ellipsis icon next to the identity provider, and then click Enable or Disable.

Command-line interface

Use the following command:

vinfra domain idp set [--enable] [--disable] --domain <domain> <idp>

--enable: Enable identity provider
--disable: Disable identity provider
--domain <domain>: Domain name or ID
<idp>: Identity provider name or ID

For example, to disable the identity provider My ADFS within the mydomain, run:

# vinfra domain idp set "My ADFS" --domain mydomain --disable

To delete an identity provider

Admin panel

On the Projects and users screen, click the required domain.
Switch to the Settings > Identity provider screen, click the ellipsis icon next to the identity provider, and then click Delete.
Click Delete in the confirmation window.

Command-line interface

Use the following command:

vinfra domain idp delete --domain <domain> <idp>

--domain <domain>: Domain name or ID
<idp>: Identity provider name or ID

For example, to delete the identity provider My ADFS within the mydomain, run:

# vinfra domain idp delete "My ADFS" --domain mydomain