[openstack-dev] [Keystone] Federated Identity Management and user creation

K.W.S.Siu K.W.S.Siu at kent.ac.uk
Mon Jan 28 13:20:05 UTC 2013


When Federated Identity Management is used, the authentication statement issued by the external Identity Provider(s) may contain a temporary (or transient) identifier for the user rather than a permanent (or persistent) one. Because of this, it is not possible to always uniquely identify the user each time when federated authentication is used in Keystone (unless one of the user's identity attributes is globally unique, such as an email address). As an existing user is required to issue tokens, it is necessary to create a new user each time authentication takes place which could result in the backend storage becoming full of redundant data. As a solution to this, we propose the addition of a validity time field in the user entity which can be used to remove expired user data and allow temporary users to be created based on the ID provided by the Identity Provider. Determining the details of the new user account will be done by the proposed attribute mapping service.

At the moment we are wondering how people feel about this, and if anyone has any comments or suggestions.

Many thanks,

More information about the OpenStack-dev mailing list