[horizon][keystone] Adding different rules in the same protocol for federated logon
James Leong
jamesleong123098 at gmail.com
Thu Jul 13 01:42:02 UTC 2023
Ok, thanks for the clarification.
On Wed, 12 Jul 2023, 5:19 pm Rafael Weingärtner, <
rafaelweingartner at gmail.com> wrote:
> Yes, it makes sense. However, it would work only for single domain
> mapping. If you need something more dynamic, then with the current
> implementation that is not possible.
>
> On Wed, Jul 12, 2023 at 7:03 PM James Leong <jamesleong123098 at gmail.com>
> wrote:
>
>> Thanks for the explanation. I was thinking to make the domain name as
>> part of the oidc-organization, so it would map to the domain dynamically.
>>
>> Best,
>> James
>>
>> On Wed, 12 Jul 2023, 11:51 am Rafael Weingärtner, <
>> rafaelweingartner at gmail.com> wrote:
>>
>>> The mapping is one to one. You will not be able to easily map N domains
>>> that come as attributes from the IdP to a user in Keystone via the current
>>> identity federation implementation. We started an initiative to make that
>>> more flexible, but the specs were never accepted. You can see specs [1] and
>>> [2]. The spec [1] is not about this per se, but it is the base to enable us
>>> to better evolve the attribute mapping process without causing backwards
>>> impacts. However, it was never accepted. Also, the spec [2] is something
>>> that we did to achieve what you want with the domain, but applied at a
>>> project level. Therefore, if we had those in, it would be easy to expand to
>>> other use cases, such as the one you are describing.
>>>
>>> [1]
>>> https://review.opendev.org/c/openstack/keystone-specs/+/748042?usp=search
>>> [2]
>>> https://review.opendev.org/c/openstack/keystone-specs/+/748748?usp=search
>>>
>>> On Tue, Jul 11, 2023 at 10:26 PM James Leong <jamesleong123098 at gmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have yoga version openstack with the deployment tool of
>>>> kolla-ansible. I am trying to combine different mapping rules such as
>>>> allowing user to login to different domain. However, I am not able to do
>>>> that in a single JSON file. When I try to include different rule in the
>>>> same JSON file, only the first rule is being considered. Is there a way to
>>>> allow multiple rule to redirect user to their account in a different domain.
>>>>
>>>> Best,
>>>> James
>>>>
>>>
>>>
>>> --
>>> Rafael Weingärtner
>>>
>>
>
> --
> Rafael Weingärtner
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230712/334438bf/attachment.htm>
More information about the openstack-discuss
mailing list