[openstack-dev] [keystone federation] some questions about keystone IDP with SAML supported

Marek Denis marek.denis at cern.ch
Wed Oct 14 15:58:41 UTC 2015


On 14.10.2015 13:10, wyw wrote:
> hello, keystoners.  please help me
> Here is my use case:
> 1. use keystone as IDP , supported with SAML

Remember that Keystone is not a fully fledged Identity Provider. For 
instance it cannot handle WebSSO. To be even more specific it will only 
handle "IdP Initiated authentication workflow" and it's one of the 
variant SAML2 authentication work.

> 2. keystone integrates with LDAP
> 3. we use a java application as Service Provider, and to integrate it 
> with keystone IDP.
> 4. we use a keystone as Service Provider, and to integrate it withe 
> keystone IDP.

Did you try that already? Did it work?

> The problems:
> in the k2k federation case, keystone service provider requests 
> authentication info with IDP via Shibboleth ECP.

Yes. Why is that a problem? K2K architecture assumes two Keystones - 
Keystone-IdP and Keystone-SP . Communication between them leverages on 
SAML2 and ECP.

> in the java application, we use websso to request IDP, for example:

as mentioned earlier - no websso in keystone-idp.

> idp_sso_endpoint =
> but, the java redirect the sso url , it will return 404 error.
> so, if we want to integrate a java application with keystone IDP, 
>  should we need to support ECP in the java application?

pretty much - yes! Luckily for you the reference libraries (shibboleth) 
are written in Java so it should be easier to integrate with your 

> here is my some references:
> 1. http://docs.openstack.org/developer/keystone/configure_federation.html
> 2. 
> http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo
> 3. http://docs.openstack.org/developer/keystone/extensions/federation.html
> https://gist.githubusercontent.com/zaccone/3c3d4c8f39a19709bcd7/raw/d938f2f9d1cf06d29a81d57c8069c291fed66cab/k2k-env.sh
> https://gist.githubusercontent.com/zaccone/4bbc07d215c0047738b4/raw/75295fe32df88b24576ece69994270dc4eb19a6e/k2k-ecp-client.py
> my keystone version is kilo
> help me, thanks

I hope I did! :-)

Marek Denis

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151014/bb9eda82/attachment.html>

More information about the OpenStack-dev mailing list