<div dir="ltr">Hi<br>I would like to share article <a href="http://xuctarine.blogspot.com/2016/05/keystone-and-websso-using-active.html" rel="bookmark" itemprop="url">Keystone and WebSSO: Using Active Directory Federation Services with OpenStack Keystone</a> (<a href="http://xuctarine.blogspot.ru/2016/05/keystone-and-websso-using-active.html">http://xuctarine.blogspot.ru/2016/05/keystone-and-websso-using-active.html</a>).<br>In this article you can find step-by-step manual for SSO on Windows with Keystone.<span id="docs-internal-guid-d1b6c64c-cdc1-c910-fd60-1614512e4871"><div><span style="font-size:14.6667px;font-family:'PT Sans';color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><br></span></div></span></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, May 20, 2016 at 3:03 AM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 05/19/2016 07:40 AM, Rodrigo Duarte
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Hi,<br>
<br>
</div>
So you are trying to use keystone to authorize your users, but
want to avoid having to authenticate via keystone, right?<br>
<br>
</div>
Check if the Federated Identity feature [1] covers your use
case.<br>
<br>
[1] <a href="http://docs.openstack.org/security-guide/identity/federated-keystone.html" target="_blank">http://docs.openstack.org/security-guide/identity/federated-keystone.html</a><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, May 19, 2016 at 8:27 AM,
OpenStack Mailing List Archive <span dir="ltr"><<a href="mailto:corpqa@gmail.com" target="_blank"></a><a href="mailto:corpqa@gmail.com" target="_blank">corpqa@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Link: <a href="https://openstack.nimeyo.com/85057/?show=85057#q85057" target="_blank">https://openstack.nimeyo.com/85057/?show=85057#q85057</a><br>
From: imocha <<a href="mailto:Imocha@gmail.com" target="_blank">Imocha@gmail.com</a>><br>
<br>
<p>I have to call the keystone APIs and want to use the
windows authentication using Active Directory. Keystone
provides integration with AD at the back end. To get the
initial token to use OpenStack APIs, I need to pass user
name and password in the keystone token creation api. </p>
<p>Since I am already logged on to my windows domain, is
there any way that I can get the token without passing
the password in the api.</p>
</blockquote>
</div>
</div>
</div>
</blockquote></span>
Yes, use SSSD and Mod_Lookup_Identity:<br>
<br>
<a href="https://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/" target="_blank">https://adam.younglogic.com/2014/05/keystone-federation-via-mod_lookup_identity/</a><span class=""><br>
<br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font color="#666666">Rodrigo
Duarte Sousa<br>
</font></div>
<div><font color="#666666">Senior Quality
Engineer @ Red Hat<br>
</font></div>
<div dir="ltr">
<div>
<div><span style="color:rgb(102,102,102)">MSc</span><span style="color:rgb(102,102,102)"></span><span style="color:rgb(102,102,102)"> in
Computer Science</span><br>
<font color="#3333ff"><a href="http://rodrigods.com" target="_blank"></a><a>http://</a><font color="#3333ff"><a href="http://rodrigods.com">rodrigods.com</a></font></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</span></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>