<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/11/2015 06:21 AM, Jesse Pretorius
wrote:<br>
</div>
<blockquote
cite="mid:CAGSrQvyPnscqB-Lai=6+L2EMyxrb7+Hvgkxx9X_kcmNAMjj3kw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi everyone,
<div><br>
</div>
<div>Yesterday we released implementing Keystone as a Federated
Service Provider as part of the openstack-ansible deployment
tooling [1].</div>
<div><br>
</div>
<div>This is a starting implementation which was purposefully
scoped to only use Shibboleth and only support SAML2. The
scope was limited due to the complexity of getting it working
in the first place, but also as this was seen to be the
use-case which would give the most value.</div>
<div><br>
</div>
<div>The implementation, however, was done in a manner which we
believe is reasonably extendable to accommodate other
protocols including OpenID, Kerberos, etc. It should also be
reasonably easy to develop the Mellon SAML implementation
instead of the Shibboleth module, although I that would
probably be slightly more complex. Our spec [2] has already
covered these extensions, so all we'd need to do is define
blueprints to cover them and target them at specific
milestones.</div>
<div><br>
</div>
<div>We'd like to ask whether others would be interested in
diving in to implement the additional protocols, to implement
the alternative mod_auth_mellon and also to apply other
improvements as we roll on towards the target of releasing
liberty.</div>
</div>
</blockquote>
The simplest one is Kerberos + SSSD;<br>
<br>
Kerberos provides Authentication.<br>
mod_lookup_identity uses SSSD to get Groups. It turns LDAP into
another Federated identity, much simpler than the LDAP code in
Keystone (I am responsible for that mess).<br>
<br>
We are working on automating this via Ansible on top of a
RHEL/Centos 7 install to demo in Tokyo.<br>
<br>
I am not certain if all the pieces are in place yet for Debian based
install. Specifically, it needs an updated sssd-dbus package.<br>
<br>
We also have mod_mellon and Ipsilon working, as Jamie demo'ed at
Pycon AU.<br>
<blockquote
cite="mid:CAGSrQvyPnscqB-Lai=6+L2EMyxrb7+Hvgkxx9X_kcmNAMjj3kw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>We're happy to work along side anyone who's not familiar
with openstack-ansible, or even ansible, to setup a test
environment (this can be done in about an hour) and to prepare
a patch for review.</div>
<div><br>
</div>
<div>If you have any questions or comments, please feel free to
contact me via email or on IRC.</div>
<div><br>
</div>
<div>Best regards,</div>
<div><br>
</div>
<div>Jesse</div>
<div>IRC: odyssey4me</div>
<div><br>
</div>
<div>[1] <a moz-do-not-send="true"
href="http://lists.openstack.org/pipermail/openstack-dev/2015-August/071748.html">http://lists.openstack.org/pipermail/openstack-dev/2015-August/071748.html</a></div>
<div>[2] <a moz-do-not-send="true"
href="https://github.com/stackforge/os-ansible-deployment-specs/blob/master/specs/kilo/keystone-federation.rst">https://github.com/stackforge/os-ansible-deployment-specs/blob/master/specs/kilo/keystone-federation.rst</a></div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>