[openstack-dev] [keystone] multiple federated keystones with single Identity Provider

Pavlo Shchelokovskyy pshchelokovskyy at mirantis.com
Thu Dec 7 16:37:54 UTC 2017

Hi all,

We have a following use case - several independent keystones (say KeyA and
KeyB), using fernet tokens and synchronized fernet keys, and single
external IdP for federated auth.

Is it generally possible to configure both KeyA and KeyB such that scoped
token issued by KeyA for a federated user is valid on KeyB?

Currently we have the next problem - although domains/projects where
keystone's mapping engine assigns federated users are equal by name between
KeyA and KeyB, the UUIDs of projects/domains in KeyA and KeyB  are
different, which seems to invalidate the scoped token issued by KeyA when
trying to use it for KeyB. And it is not possible to create
projects/domains with specific UUIDs via keystone API (which would probably
solve this problem for non-autoprovisioned projects).

Is such usage scenario supported? Or one should always use the unscoped
token first to list projects/domains available on a specific keystone
instance and then get a scoped token for usage o this instance only?

Best regards,
Dr. Pavlo Shchelokovskyy
Senior Software Engineer
Mirantis Inc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171207/25436009/attachment.html>

More information about the OpenStack-dev mailing list