[openstack-dev] SAML
Adam Young
ayoung at redhat.com
Fri Oct 4 18:17:30 UTC 2013
For Icehouse Keystone should support SAML. This is an attempt to pull
together the various pieces necessary to make that happen.
The general apporach is that a Keystone will maintain a short lived set
of user records for users that have presented valid SAML assertions.
The assertions will be processed through a "mapping" backend and stored
in the identity backend.
Morgan Fainberg is going to be reworking the Memcached backend so that
it uses dogpile, the same mechanism that we are using for caching.
Bascially, we will have one Key/Value Store backend, and then various
drivers for mapping that to in memory, memcached, Cassandra, or any
others that come up. I think we will continue to call this the
Key/Value Store (KVS) backend.
Henry Nash is working on integrating multiple LDAP servers into
Keystone. Each LDAP server backs a single domain. Each one gets its
own mapping from LDAP calls to Identity based on a config file.
For Federation, we will want to use the KVS backend for identity. Thus,
we need to be able to configure a domain or set of domains to store
identity information in KVS. This will follow the pattern of Henry
Nash's LDAP work.
We need to keep user IDs Globally unique. In addition, we need to
ensure that a user Id can be mapped to the appropriate identity
backend. This is slated to be discussed at the summit Federated ID session:
http://summit.openstack.org/cfp/details/28
The diagram at the bottom of the federation blueprint shows how they are
linked together.
https://blueprints.launchpad.net/keystone/+spec/federation
https://blueprints.launchpad.net/keystone/+spec/mapping-distributed-admin
https://blueprints.launchpad.net/keystone/+spec/saml-id
https://blueprints.launchpad.net/keystone/+spec/dogpile-kvs-backends
https://blueprints.launchpad.net/keystone/+spec/multiple-datastores
https://blueprints.launchpad.net/keystone/+spec/abfab
We have a planned API freeze for Keystone in I2. Grizzly 2 was in Mid
January. The Grizzly Summit was about 3 weeks early than the Icehouse
summit, so if we go by a similar schedule, we should plan on having
until the end of January to get this work done. If we wait until the
Summit to get started, we will miss Icehouse.
More information about the OpenStack-dev
mailing list