<html><body><p>Looks great! I only have one suggestion for the ECP blog. We actually have keystoneauth plugins for ECP [1]. Instead of issuing a request in your example, you may be able to just use the federated auth plugin.<br><br>[1] <a href="https://github.com/openstack/keystoneauth/blob/35cad4a2ef00339eb31d80458bafaada41a5d8ce/keystoneauth1/extras/_saml2/v3/saml2.py">https://github.com/openstack/keystoneauth/blob/35cad4a2ef00339eb31d80458bafaada41a5d8ce/keystoneauth1/extras/_saml2/v3/saml2.py</a><br><br>stevemar<br><br><img width="16" height="16" src="cid:1__=8FBBF5E3DFC333F28f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Adam Heczko ---2016/03/08 03:38:31 PM---Good job Kseniya :) A."><font color="#424282">Adam Heczko ---2016/03/08 03:38:31 PM---Good job Kseniya :) A.</font><br><br><font size="2" color="#5F5F5F">From:        </font><font size="2">Adam Heczko <aheczko@mirantis.com></font><br><font size="2" color="#5F5F5F">To:        </font><font size="2">"OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org></font><br><font size="2" color="#5F5F5F">Date:        </font><font size="2">2016/03/08 03:38 PM</font><br><font size="2" color="#5F5F5F">Subject:        </font><font size="2">Re: [openstack-dev] [keystone] Single Sign On integration research</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><br>Good job Kseniya :)<br><br>A.<br><br><font size="4">On Tue, Mar 8, 2016 at 3:21 PM, Jay Pipes <</font><a href="mailto:jaypipes@gmail.com" target="_blank"><u><font size="4" color="#0000FF">jaypipes@gmail.com</font></u></a><font size="4">> wrote:</font><ul><font size="4">Awesome blogs, Kseniya, thank you for sharing this! :)<br>-jay<br><br>On 03/08/2016 09:12 AM, Kseniya Tychkova wrote:</font><br><font size="4">Hi,<br>as you may know currently Keystone supports Single Sign-On (SSO) and as<br>I think it is one of the most interesting features in Keystone.<br>I've done research on Single Sign-On in Keystone. Practically I just<br>tried to set up Keystone in 2 different configuration.<br>As a result of my research I have 2 blog posts and I would like to share<br>links with you:<br><br>*1. Keystone Service Provider with Shibboleth Identity Provider (WebSSO<br>profile)<br><</font><a href="http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html" target="_blank"><u><font size="4" color="#0000FF">http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html</font></u></a><font size="4">>*:<br><</font><a href="http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html" target="_blank"><u><font size="4" color="#0000FF">http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html</font></u></a><font size="4">><br>( </font><a href="http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html" target="_blank"><u><font size="4" color="#0000FF">http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html</font></u></a><font size="4"> )<br>Post describes how to step-by-step deploy Shibboleth Identity Provider<br>with Keystone Service Provider.<br>This configuration is interesting because you can easily replace<br>Shibboleth Identity Provider<br>with any other Identity Provider with SAML support.<br>So it is, I think, most popular use case for SSO in Keystone.<br><br>*2. How to setup Keystone with Shibboleth (ECP profile):<br><</font><a href="http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html" target="_blank"><u><font size="4" color="#0000FF">http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html</font></u></a><font size="4">><br>*(</font><u><font size="4" color="#0000FF"><br></font></u><a href="http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html" target="_blank"><u><font size="4" color="#0000FF">http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html</font></u></a><font size="4"><br>)<br>Post describes how to deploy Keystone Identity Provider with Keystone<br>Service Provider.<br>It is Keystone-to-Keystone configuration and it uses ECP profile<br>(Enhanced Client or Proxy) of SAML Protocol.<br>A lot of information for this post I took from rodrigods blog<br>(</font><a href="http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo" target="_blank"><u><font size="4" color="#0000FF">http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo</font></u></a><font size="4">).<br><br>I hope my posts will help you to deploy/configure SSO or at least will<br>be interesting to take a look at SSO feature in Keystone.<br><br>Kind regards, Kseniya<br><br><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: </font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank"><u><font size="4" color="#0000FF">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</font></u></a><u><font size="4" color="#0000FF"><br></font></u><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><u><font size="4" color="#0000FF">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></u></a><font size="4"><br></font><br><font size="4"><br>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: </font><a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank"><u><font size="4" color="#0000FF">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</font></u></a><u><font size="4" color="#0000FF"><br></font></u><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><u><font size="4" color="#0000FF">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></u></a></ul><font size="4"><br></font><br><br><font size="4">-- </font><br><font color="#888888">Adam Heczko</font><br><font color="#888888">Security Engineer @ Mirantis Inc.</font><tt>__________________________________________________________________________<br>OpenStack Development Mailing List (not for usage questions)<br>Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br></tt><tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></tt><tt><br></tt><br><br><BR>
</body></html>