The idp module allows to ensure presence and absence of idps.
- Idp management
FreeIPA versions 4.4.0 and up are supported by the ipaidp module.
Controller
- Ansible version: 2.15+
Node
- Supported FreeIPA version (see above)
Example inventory file
[ipaserver]
ipaserver.test.local
Example playbook to make sure keycloak idp my-keycloak-idp is present:
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure keycloak idp my-keycloak-idp is present
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-keycloak-idp
provider: keycloak
organization: main
base_url: keycloak.idm.example.com:8443/auth
client_id: my-client-id
Example playbook to make sure keycloak idp my-keycloak-idp is absent:
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure keycloak idp my-keycloak-idp is absent
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-keycloak-idp
delete_continue: true
state: absent
Example playbook to make sure github idp my-github-idp is present:
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure github idp my-github-idp is present
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-github-idp
provider: github
client_id: my-github-client-id
Example playbook to make sure google idp my-google-idp is present using provider defaults without specifying provider:
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure google idp my-google-idp is present using provider defaults without specifying provider
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-google-idp
auth_uri: https://accounts.google.com/o/oauth2/auth
dev_auth_uri: https://oauth2.googleapis.com/device/code
token_uri: https://oauth2.googleapis.com/token
keys_uri: https://www.googleapis.com/oauth2/v3/certs
userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo
client_id: my-google-client-id
scope: "openid email"
idp_user_id: email
Example playbook to make sure google idp my-google-idp is present using provider:
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure google idp my-google-idp is present using provider
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-google-idp
provider: google
client_id: my-google-client-id
Example playbook to make sure idps my-keycloak-idp, my-github-idp and my-google-idp are absent:
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
ipaidp:
ipaadmin_password: SomeADMINpassword
name:
- my-keycloak-idp
- my-github-idp
- my-google-idp
delete_continue: true
state: absent
Variable | Description | Required |
---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin |
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
ipaapi_context |
The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are server and client . |
no |
ipaapi_ldap_cache |
Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | false |
name | cn |
The list of idp name strings. | yes |
auth_uri | ipaidpauthendpoint | OAuth 2.0 authorization endpoint string. | no |
dev_auth_uri | ipaidpdevauthendpoint | Device authorization endpoint string. | no |
token_uri | ipaidptokenendpoint | Token endpoint string. | no |
userinfo_uri | ipaidpuserinfoendpoint | User information endpoint string. | no |
keys_uri | ipaidpkeysendpoint | JWKS endpoint string. | no |
issuer_url | ipaidpissuerurl | The Identity Provider OIDC URL string. | no |
client_id | ipaidpclientid | OAuth 2.0 client identifier string. | no |
secret | ipaidpclientsecret | OAuth 2.0 client secret string. | no |
scope | ipaidpscope | OAuth 2.0 scope string. Multiple scopes separated by space. | no |
idp_user_id | ipaidpsub | Attribute string for user identity in OAuth 2.0 userinfo. | no |
provider | ipaidpprovider | Pre-defined template string. This provides the provider defaults, which can be overridden with the other IdP options. Choices: ["google","github","microsoft","okta","keycloak"] | no |
organization | ipaidporg | Organization ID string or Realm name for IdP provider templates. | no |
base_url | ipaidpbaseurl | Base URL string for IdP provider templates. | no |
rename | new_name | New name for the Identity Provider server object. Only with state: renamed . |
no |
delete_continue | continue | Continuous mode. Don't stop on errors. Valid only if state is absent . |
no |
state |
The state to ensure. It can be one of present , absent , renamed , default: present . |
no |
Thomas Woerner