internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity
Files
bdcc8153f8b81e68408727c62e61c97fc0895ac4
ansible-freeipa/README-idp.md
Rafael Guterres Jeffman 7126dec0f3 README-*: Bump minimum Ansible supported version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

This patch includes the change to the version number in the collection
and all plugin README files. The collection README was also update to
remove text that related only to previous Ansible versions.
2024-06-28 10:51:44 -03:00

5.3 KiB
Raw Blame History

Idp module

Description

The idp module allows to ensure presence and absence of idps.

Features

  • Idp management

Supported FreeIPA Versions

FreeIPA versions 4.4.0 and up are supported by the ipaidp module.

Requirements

Controller

  • Ansible version: 2.15+

Node

  • Supported FreeIPA version (see above)

Usage

Example inventory file

[ipaserver]
ipaserver.test.local

Example playbook to make sure keycloak idp my-keycloak-idp is present:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure keycloak idp my-keycloak-idp is present
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-keycloak-idp
      provider: keycloak
      organization: main
      base_url: keycloak.idm.example.com:8443/auth
      client_id: my-client-id

Example playbook to make sure keycloak idp my-keycloak-idp is absent:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure keycloak idp my-keycloak-idp is absent
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-keycloak-idp
      delete_continue: true
      state: absent

Example playbook to make sure github idp my-github-idp is present:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure github idp my-github-idp is present
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-github-idp
      provider: github
      client_id: my-github-client-id

Example playbook to make sure google idp my-google-idp is present using provider defaults without specifying provider:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure google idp my-google-idp is present using provider defaults without specifying provider
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-google-idp
      auth_uri: https://accounts.google.com/o/oauth2/auth
      dev_auth_uri: https://oauth2.googleapis.com/device/code
      token_uri: https://oauth2.googleapis.com/token
      keys_uri: https://www.googleapis.com/oauth2/v3/certs
      userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo
      client_id: my-google-client-id
      scope: "openid email"
      idp_user_id: email

Example playbook to make sure google idp my-google-idp is present using provider:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure google idp my-google-idp is present using provider
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name: my-google-idp
      provider: google
      client_id: my-google-client-id

Example playbook to make sure idps my-keycloak-idp, my-github-idp and my-google-idp are absent:

---
- name: Playbook to manage IPA idp.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
    ipaidp:
      ipaadmin_password: SomeADMINpassword
      name:
      - my-keycloak-idp
      - my-github-idp
      - my-google-idp
      delete_continue: true
      state: absent

Variables

Variable Description Required
ipaadmin_principal The admin principal is a string and defaults to admin no
ipaadmin_password The admin password is a string and is required if there is no admin ticket available on the node no
ipaapi_context The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are server and client. no
ipaapi_ldap_cache Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) false
name | cn The list of idp name strings. yes
auth_uri | ipaidpauthendpoint OAuth 2.0 authorization endpoint string. no
dev_auth_uri | ipaidpdevauthendpoint Device authorization endpoint string. no
token_uri | ipaidptokenendpoint Token endpoint string. no
userinfo_uri | ipaidpuserinfoendpoint User information endpoint string. no
keys_uri | ipaidpkeysendpoint JWKS endpoint string. no
issuer_url | ipaidpissuerurl The Identity Provider OIDC URL string. no
client_id | ipaidpclientid OAuth 2.0 client identifier string. no
secret | ipaidpclientsecret OAuth 2.0 client secret string. no
scope | ipaidpscope OAuth 2.0 scope string. Multiple scopes separated by space. no
idp_user_id | ipaidpsub Attribute string for user identity in OAuth 2.0 userinfo. no
provider | ipaidpprovider Pre-defined template string. This provides the provider defaults, which can be overridden with the other IdP options. Choices: ["google","github","microsoft","okta","keycloak"] no
organization | ipaidporg Organization ID string or Realm name for IdP provider templates. no
base_url | ipaidpbaseurl Base URL string for IdP provider templates. no
rename | new_name New name for the Identity Provider server object. Only with state: renamed. no
delete_continue | continue Continuous mode. Don't stop on errors. Valid only if state is absent. no
state The state to ensure. It can be one of present, absent, renamed, default: present. no

Authors

Thomas Woerner