[horizon][keystone] Adding different rules in the same protocol for federated logon
Rafael Weingärtner
rafaelweingartner at gmail.com
Wed Jul 12 16:50:59 UTC 2023
The mapping is one to one. You will not be able to easily map N domains
that come as attributes from the IdP to a user in Keystone via the current
identity federation implementation. We started an initiative to make that
more flexible, but the specs were never accepted. You can see specs [1] and
[2]. The spec [1] is not about this per se, but it is the base to enable us
to better evolve the attribute mapping process without causing backwards
impacts. However, it was never accepted. Also, the spec [2] is something
that we did to achieve what you want with the domain, but applied at a
project level. Therefore, if we had those in, it would be easy to expand to
other use cases, such as the one you are describing.
[1]
https://review.opendev.org/c/openstack/keystone-specs/+/748042?usp=search
[2]
https://review.opendev.org/c/openstack/keystone-specs/+/748748?usp=search
On Tue, Jul 11, 2023 at 10:26 PM James Leong <jamesleong123098 at gmail.com>
wrote:
> Hi all,
>
> I have yoga version openstack with the deployment tool of kolla-ansible. I
> am trying to combine different mapping rules such as allowing user to login
> to different domain. However, I am not able to do that in a single JSON
> file. When I try to include different rule in the same JSON file, only the
> first rule is being considered. Is there a way to allow multiple rule to
> redirect user to their account in a different domain.
>
> Best,
> James
>
--
Rafael Weingärtner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230712/ba5da587/attachment.htm>
More information about the openstack-discuss
mailing list