[horizon][keystone] Adding different rules in the same protocol for federated logon
Rafael Weingärtner
rafaelweingartner at gmail.com
Wed Jul 12 22:18:57 UTC 2023
Yes, it makes sense. However, it would work only for single domain mapping.
If you need something more dynamic, then with the current implementation
that is not possible.
On Wed, Jul 12, 2023 at 7:03 PM James Leong <jamesleong123098 at gmail.com>
wrote:
> Thanks for the explanation. I was thinking to make the domain name as part
> of the oidc-organization, so it would map to the domain dynamically.
>
> Best,
> James
>
> On Wed, 12 Jul 2023, 11:51 am Rafael Weingärtner, <
> rafaelweingartner at gmail.com> wrote:
>
>> The mapping is one to one. You will not be able to easily map N domains
>> that come as attributes from the IdP to a user in Keystone via the current
>> identity federation implementation. We started an initiative to make that
>> more flexible, but the specs were never accepted. You can see specs [1] and
>> [2]. The spec [1] is not about this per se, but it is the base to enable us
>> to better evolve the attribute mapping process without causing backwards
>> impacts. However, it was never accepted. Also, the spec [2] is something
>> that we did to achieve what you want with the domain, but applied at a
>> project level. Therefore, if we had those in, it would be easy to expand to
>> other use cases, such as the one you are describing.
>>
>> [1]
>> https://review.opendev.org/c/openstack/keystone-specs/+/748042?usp=search
>> [2]
>> https://review.opendev.org/c/openstack/keystone-specs/+/748748?usp=search
>>
>> On Tue, Jul 11, 2023 at 10:26 PM James Leong <jamesleong123098 at gmail.com>
>> wrote:
>>
>>> Hi all,
>>>
>>> I have yoga version openstack with the deployment tool of kolla-ansible.
>>> I am trying to combine different mapping rules such as allowing user to
>>> login to different domain. However, I am not able to do that in a single
>>> JSON file. When I try to include different rule in the same JSON file, only
>>> the first rule is being considered. Is there a way to allow multiple rule
>>> to redirect user to their account in a different domain.
>>>
>>> Best,
>>> James
>>>
>>
>>
>> --
>> Rafael Weingärtner
>>
>
--
Rafael Weingärtner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230712/f46a4882/attachment.htm>
More information about the openstack-discuss
mailing list