[openstack-dev] [keystone federation] some questions about keystone IDP with SAML supported
marek.denis at cern.ch
Wed Oct 14 15:58:41 UTC 2015
On 14.10.2015 13:10, wyw wrote:
> hello, keystoners. please help me
> Here is my use case:
> 1. use keystone as IDP , supported with SAML
Remember that Keystone is not a fully fledged Identity Provider. For
instance it cannot handle WebSSO. To be even more specific it will only
handle "IdP Initiated authentication workflow" and it's one of the
variant SAML2 authentication work.
> 2. keystone integrates with LDAP
> 3. we use a java application as Service Provider, and to integrate it
> with keystone IDP.
> 4. we use a keystone as Service Provider, and to integrate it withe
> keystone IDP.
Did you try that already? Did it work?
> The problems:
> in the k2k federation case, keystone service provider requests
> authentication info with IDP via Shibboleth ECP.
Yes. Why is that a problem? K2K architecture assumes two Keystones -
Keystone-IdP and Keystone-SP . Communication between them leverages on
SAML2 and ECP.
> in the java application, we use websso to request IDP, for example：
as mentioned earlier - no websso in keystone-idp.
> idp_sso_endpoint = http://10.111.131.83:5000/v3/OS-FEDERATION/saml2/sso
> but, the java redirect the sso url , it will return 404 error.
> so, if we want to integrate a java application with keystone IDP,
> should we need to support ECP in the java application?
pretty much - yes! Luckily for you the reference libraries (shibboleth)
are written in Java so it should be easier to integrate with your
> here is my some references:
> 1. http://docs.openstack.org/developer/keystone/configure_federation.html
> 3. http://docs.openstack.org/developer/keystone/extensions/federation.html
> my keystone version is kilo
> help me, thanks
I hope I did! :-)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev