Skip to content

Latest commit

 

History

History
192 lines (147 loc) · 5.34 KB

README-idp.md

File metadata and controls

192 lines (147 loc) · 5.34 KB

Idp module

Description

The idp module allows to ensure presence and absence of idps.

Features

  • Idp management

Supported FreeIPA Versions

FreeIPA versions 4.4.0 and up are supported by the ipaidp module.

Requirements

Controller

  • Ansible version: 2.15+

Node

  • Supported FreeIPA version (see above)

Usage

Example inventory file

[ipaserver]
ipaserver.test.local

Example playbook to make sure keycloak idp my-keycloak-idp is present:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure keycloak idp my-keycloak-idp is present
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-keycloak-idp
      provider: keycloak
      organization: main
      base_url: keycloak.idm.example.com:8443/auth
      client_id: my-client-id

Example playbook to make sure keycloak idp my-keycloak-idp is absent:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure keycloak idp my-keycloak-idp is absent
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-keycloak-idp
      delete_continue: true
      state: absent

Example playbook to make sure github idp my-github-idp is present:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure github idp my-github-idp is present
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-github-idp
      provider: github
      client_id: my-github-client-id

Example playbook to make sure google idp my-google-idp is present using provider defaults without specifying provider:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure google idp my-google-idp is present using provider defaults without specifying provider
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-google-idp
      auth_uri: https://accounts.google.com/o/oauth2/auth
      dev_auth_uri: https://oauth2.googleapis.com/device/code
      token_uri: https://oauth2.googleapis.com/token
      keys_uri: https://www.googleapis.com/oauth2/v3/certs
      userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo
      client_id: my-google-client-id
      scope: "openid email"
      idp_user_id: email

Example playbook to make sure google idp my-google-idp is present using provider:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure google idp my-google-idp is present using provider
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-google-idp
      provider: google
      client_id: my-google-client-id

Example playbook to make sure idps my-keycloak-idp, my-github-idp and my-google-idp are absent:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name:
      - my-keycloak-idp
      - my-github-idp
      - my-google-idp
      delete_continue: true
      state: absent

Variables

Variable Description Required
ipaadmin_principal The admin principal is a string and defaults to admin no
ipaadmin_password The admin password is a string and is required if there is no admin ticket available on the node no
ipaapi_context The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are server and client. no
ipaapi_ldap_cache Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) false
name | cn The list of idp name strings. yes
auth_uri | ipaidpauthendpoint OAuth 2.0 authorization endpoint string. no
dev_auth_uri | ipaidpdevauthendpoint Device authorization endpoint string. no
token_uri | ipaidptokenendpoint Token endpoint string. no
userinfo_uri | ipaidpuserinfoendpoint User information endpoint string. no
keys_uri | ipaidpkeysendpoint JWKS endpoint string. no
issuer_url | ipaidpissuerurl The Identity Provider OIDC URL string. no
client_id | ipaidpclientid OAuth 2.0 client identifier string. no
secret | ipaidpclientsecret OAuth 2.0 client secret string. no
scope | ipaidpscope OAuth 2.0 scope string. Multiple scopes separated by space. no
idp_user_id | ipaidpsub Attribute string for user identity in OAuth 2.0 userinfo. no
provider | ipaidpprovider Pre-defined template string. This provides the provider defaults, which can be overridden with the other IdP options. Choices: ["google","github","microsoft","okta","keycloak"] no
organization | ipaidporg Organization ID string or Realm name for IdP provider templates. no
base_url | ipaidpbaseurl Base URL string for IdP provider templates. no
rename | new_name New name for the Identity Provider server object. Only with state: renamed. no
delete_continue | continue Continuous mode. Don't stop on errors. Valid only if state is absent. no
state The state to ensure. It can be one of present, absent, renamed, default: present. no

Authors

Thomas Woerner