Open Stack

Phase one for dealing with Federation can be done with CORS support 
solely for Keystone/Horizon  integration:

1.  Horizon Login page creates Javascript to do AJAX call to Keystone
2.  Keystone generates a token
3.  Javascript reads token out of response and sends it to Horizon.

This should support Kerberos, X509, and Password auth;  the Keystone 
team is discussing how to advertise mechanisms, lets leave the onus on 
us to solve that one and get back in a timely manner.

For Federation, the handshake is a little more complex, and there might 
be a need for some sort of popup window for the user to log in to their 
home SAML provider.  Its several more AJAX calls, but the end effect 
should be the same:  get a standard Keystone token and hand it to Horizon.

This would mean that Horizon would have to validate tokens the same way 
as any other endpoint.  That should not be too hard, but there is a 
little bit of "create a user, get a token, make a call" logic that 
currently lives only in keystonemiddleware/auth_token;  Its a solvable 
problem.

This approach will support the straight Javascript approach that Richard 
Jones discussed;  Keystone behind a proxy will work this way without 
CORS support.  If CORS  can be sorted out for the other services, we can 
do straight Javascript without the Proxy.  I see it as phased approach 
with this being the first phase.