make OIDCClaimDelimiter configurable

Add a new variable keystone_federation_oidc_claim_delimiter
to make this configurable for keycloak OIDC federation.

Closes-Bug: #2080394

Signed-off-by: Sven Kieske <kieske@osism.tech>
Change-Id: If14285f033ed4914fd3b28d7efcc95e1c9f273a5

ansible/roles/keystone/defaults/main.yml

@@ -234,6 +234,7 @@ keystone_enable_federation_openid: "{{ enable_keystone_federation | bool and key
 keystone_should_remove_attribute_mappings: False
 keystone_should_remove_identity_providers: False
 keystone_federation_oidc_response_type: "id_token"
+keystone_federation_oidc_claim_delimiter: ";"
 keystone_federation_oidc_scopes: "openid email profile"
 
 # OIDC caching

ansible/roles/keystone/templates/wsgi-keystone.conf.j2

@@ -59,7 +59,7 @@ LogLevel info
 
 {% if keystone_enable_federation_openid | bool %}
     OIDCClaimPrefix "OIDC-"
-    OIDCClaimDelimiter ";"
+    OIDCClaimDelimiter "{{ keystone_federation_oidc_claim_delimiter }}"
     OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
     OIDCScope "{{ keystone_federation_oidc_scopes }}"
     OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}

releasenotes/notes/fix-hardcoded-oidc-claim-delimiter-06ca81b1fce0eba7.yaml

@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    Fixes an issue with setting up OIDC based Keystone federation against IDP
+    where there are multiple OIDC groups that are separated by a custom
+    delimiter.
+    Add a variable ``keystone_federation_oidc_claim_delimiter`` to set the
+    custom value.
+    `LP#2080394 <https://bugs.launchpad.net/bugs/2080394>`__