[openstack-dev] [keystone] multiple federated keystones with single Identity Provider

Colleen Murphy colleen at gazlene.net
Thu Dec 7 18:27:11 UTC 2017

On Thu, Dec 7, 2017 at 5:37 PM, Pavlo Shchelokovskyy
<pshchelokovskyy at mirantis.com> wrote:
> Hi all,
> We have a following use case - several independent keystones (say KeyA and
> KeyB), using fernet tokens and synchronized fernet keys, and single external
> IdP for federated auth.
> Is it generally possible to configure both KeyA and KeyB such that scoped
> token issued by KeyA for a federated user is valid on KeyB?
> Currently we have the next problem - although domains/projects where
> keystone's mapping engine assigns federated users are equal by name between
> KeyA and KeyB, the UUIDs of projects/domains in KeyA and KeyB  are
> different, which seems to invalidate the scoped token issued by KeyA when
> trying to use it for KeyB. And it is not possible to create projects/domains
> with specific UUIDs via keystone API (which would probably solve this
> problem for non-autoprovisioned projects).
> Is such usage scenario supported? Or one should always use the unscoped
> token first to list projects/domains available on a specific keystone
> instance and then get a scoped token for usage o this instance only?

No, it is not currently possible to use the same token on projects in
different keystones, for the reasons you gave. You might be interested
in following https://review.openstack.org/#/c/323499/ if you're not
already aware of it, which has the goal of solving that problem.

It's also been brought up before:


And we talked about it a lot at the last Forum (sorry my brief summary
does not really do the discussion justice):


Lance mentioned today that we'd likely try to discuss it at our next
weekly meeting: http://eavesdrop.openstack.org/#Keystone_Team_Meeting


More information about the OpenStack-dev mailing list