[openstack-dev] [os-ansible-deployment] Feedback on Keystone Federation Spec

Adam Young ayoung at redhat.com
Wed Jul 1 16:05:36 UTC 2015

On 06/30/2015 12:21 PM, Jesse Pretorius wrote:
> Hi everyone,
> There was quite a bit of fanfare around the new federation features in 
> OpenStack Kilo.
> In the os-ansible-deployment/openstack-ansible project we've been 
> putting together a view on how to implement federation with as little 
> complexity as possible.
> We've been working on some prototype code which can be seen by looking 
> at the patches on the blueprint whiteboard [1] and have also prepared 
> a spec for the implementation [2].
> We'd like to get some feedback from the broader community - from 
> deployers interested in using the feature and from 
> developers/deployers who've worked with federation. The feedback we'd 
> like to see is both in terms of the spec and the prototype code (which 
> is changing quite frequently as we figure out the bits and pieces).
> The follow-on to this work will be to specifically add the capability 
> to make use of an ADFS IdP for a Keystone SP. This work will be linked 
> to another blueprint [3] which is still a work in progress.
> I look forward to the review feedback!
> [1] 
> https://blueprints.launchpad.net/openstack-ansible/+spec/keystone-federation
> [2] https://review.openstack.org/194147
> [3] 
> https://blueprints.launchpad.net/openstack-ansible/+spec/keystone-sp-adfs-idp

I'm going to be doing an Anisble based setup for a Demo based on Ipsilon 
and FreeIPA.  For it, I will need to set up both  SAML Federation and 
SSSD/Kerberos Federation.  I suspect that much of the ADFS code is going 
to be common with the.

I'd like to make sure that the Playbooks for enabling Federation are 
something that people can use regardless of how they did their initial 
install (ignoring that it might battle with Puppet for Puppet based 


> -- 
> Jesse Pretorius
> IRC: odyssey4me
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150701/2b873569/attachment.html>

More information about the OpenStack-dev mailing list