<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=text/html;charset=gb2312 http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 11.00.9600.19101"></HEAD>
<BODY id=MailContainerBody
style="PADDING-TOP: 15px; PADDING-LEFT: 10px; PADDING-RIGHT: 10px" leftMargin=0
topMargin=0 CanvasTabStop="true" name="Compose message area">
<DIV><FONT face=Calibri>
<DIV><FONT face=Calibri>The problem is about keystone with
sso</FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>The situation:</FONT></DIV>
<DIV><FONT face=Calibri>1. the cloud based on OpenStack has use keystone to
build its own user account system, and no third user
account like ldap or google accounts </FONT></DIV>
<DIV><FONT face=Calibri>2. the cloud may have multi web application/entrance and
have multi domain name, so we need sso </FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>So there are two choice to implement sso</FONT></DIV>
<DIV><FONT face=Calibri>1. use CAS or other open source components as
sso service and use database authentication which query
keystone database.(I think it's odd) </FONT></DIV>
<DIV><FONT face=Calibri>2. use cookies(including keystone token) between multi
web application/entrance</FONT></DIV>
<DIV><FONT face=Calibri></FONT> </DIV>
<DIV><FONT face=Calibri>which is the better choice?</FONT> <FONT
face=Calibri> I think if we use only users from keystone, it's not
necessary to use an extra sso
service. </FONT></DIV></FONT></DIV></BODY></HTML>