<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/07/2013 08:16 AM, Tim Bell wrote:<br>
</div>
<blockquote
cite="mid:5D7F9996EA547448BC6C54C8C5AAF4E5D51ACD8E@PLOXCHG04.cern.ch"
type="cite">
<pre wrap="">
Yes, this is something we’re very interested in. Joe’s blueprint (<a class="moz-txt-link-freetext" href="https://blueprints.launchpad.net/keystone/+spec/virtual-idp">https://blueprints.launchpad.net/keystone/+spec/virtual-idp</a>) has a number of the user stories and would be a good place to start to add others.</pre>
</blockquote>
<br>
Work is underway under two approaches.<br>
<br>
1. is the OAuth Support. It is in the final stages, and should
merge by H3.<br>
2. is the U of Kent Federaion blueprint, which is also well
underway, and will have pieces of it in by H3 as well\\\<br>
<br>
The split of Identity from Assignments was essential to a consistant
approach here. Henry Nash is taking this to the next with the
ability to have multiple LDAP IdP, one per domain.<br>
<br>
There are three pieces to keep clear.<br>
<br>
1. Mechanism for Identity Attribute delivery. SQL and LDAP are
"pull mechanisms" where as SAML etc are push. The end result is
the same, though: we have some data that we can trust to use as the
basis of authorization decisions.<br>
<br>
2. Mapping. This is the focus of the current Kent work. We need a
way to get the attributes, whatever they are, into a format that
Keystone understands.<br>
<br>
3. Assignments. These are owned by Keystone. This consumes the
mapping in order to actually give the token the attributes.<br>
<br>
<br>
In addition, we need rules for registering domains. Currently, each
domain is limited to one mechanism. For example, a domain cannot do
both LDAP and SQL. If a given domain will use SAML, it will be
limited to only SAML. I suspect that this limitation will be
acceptable for the near future. Please let me know if this is not
the case. <br>
<br>
<br>
<br>
<br>
<br>
<br>
<blockquote
cite="mid:5D7F9996EA547448BC6C54C8C5AAF4E5D51ACD8E@PLOXCHG04.cern.ch"
type="cite">
<pre wrap="">
Tim
From: Brad Topol [<a class="moz-txt-link-freetext" href="mailto:btopol@us.ibm.com">mailto:btopol@us.ibm.com</a>]
Sent: 07 August 2013 13:55
To: Joe Savak
Cc: Miller, Mark M (EB SW Cloud - R&D - Corvallis); <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>; Rok Kralj; Tim Bell; Dolph Mathews
Subject: Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..)
Joe, Tim,
I am seeing a strong interest in keystone federated identity support from customers. I was planning on submitting a keystone design summit session proposal on this topic where we could discuss the use cases and requirements that customers are bringing forward and make sure we get all the bases covered. Sounds like you are seeing interest in this as well.
Thanks,
Brad
Brad Topol, Ph.D.
IBM Distinguished Engineer
OpenStack
(919) 543-0646
Internet: <a class="moz-txt-link-abbreviated" href="mailto:btopol@us.ibm.com">btopol@us.ibm.com</a>
Assistant: Cindy Willman (919) 268-5296
From: Joe Savak <a class="moz-txt-link-rfc2396E" href="mailto:joe.savak@RACKSPACE.COM"><joe.savak@RACKSPACE.COM></a>
To: Tim Bell <a class="moz-txt-link-rfc2396E" href="mailto:Tim.Bell@cern.ch"><Tim.Bell@cern.ch></a>, "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" <a class="moz-txt-link-rfc2396E" href="mailto:mark.m.miller@hp.com"><mark.m.miller@hp.com></a>, Rok Kralj <a class="moz-txt-link-rfc2396E" href="mailto:os@rok-kralj.net"><os@rok-kralj.net></a>, <a class="moz-txt-link-rfc2396E" href="mailto:openstack@lists.openstack.org">"openstack@lists.openstack.org"</a> <a class="moz-txt-link-rfc2396E" href="mailto:openstack@lists.openstack.org"><openstack@lists.openstack.org></a>
Date: 08/06/2013 04:06 PM
Subject: Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..)
________________________________________
If we allow Keystone to handle the identity federation (both with an incoming SAML to token exchange and an outgoing token to SAML exchange), then wouldn’t both GUI and CLI SSO be possible?
See here for more information:
<a class="moz-txt-link-freetext" href="https://blueprints.launchpad.net/keystone/+spec/virtual-idp">https://blueprints.launchpad.net/keystone/+spec/virtual-idp</a>
And a pretty picture:
<a class="moz-txt-link-freetext" href="https://wiki.openstack.org/wiki/File:Virtual_Identity_Providers.png">https://wiki.openstack.org/wiki/File:Virtual_Identity_Providers.png</a>
Rok – thank you for starting this. I do think your GUI-SSO solution has benefits regardless of the language it uses.
From: Tim Bell [<a class="moz-txt-link-freetext" href="mailto:Tim.Bell@cern.ch">mailto:Tim.Bell@cern.ch</a>]
Sent: Tuesday, August 06, 2013 1:05 PM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); Rok Kralj; <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Subject: Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..)
I would be very interested in a native SAML for single sign on implementation with Horizon login. This would mean Python rather than PHP along with potentially (I think) creating a situation where a user can use the Web GUI through single sign on but not able to use CLI.
Depending on the use cases, this may not be an issue but as far as I understand, it is a limitation of the technology at present.
Tim
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) [<a class="moz-txt-link-freetext" href="mailto:mark.m.miller@hp.com">mailto:mark.m.miller@hp.com</a>]
Sent: 06 August 2013 19:06
To: Rok Kralj; <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Subject: Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..)
How is this different than the new H-2 split backend functionality?
From: Rok Kralj [<a class="moz-txt-link-freetext" href="mailto:os@rok-kralj.net">mailto:os@rok-kralj.net</a>]
Sent: Tuesday, August 06, 2013 5:38 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Subject: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..)
As far as I know, the ability to log in to OpenStack via arbitrary Identity Provider (IdP) is a widely desired feature. Therefore, we have decided to integrate Keystone & Horizon with Simple Saml PHP, since it provides a lot of AUTH sources (aka. IdPs), for example LDAP, database, facebook, etc... Check out our effort in this short video (40s):
<a class="moz-txt-link-freetext" href="http://www.youtube.com/watch?v=qmJAumoh4U8">http://www.youtube.com/watch?v=qmJAumoh4U8</a>
For more, the instructions and a short introduction is available in the attached readme.pdf.
Feedback is really appreciated._______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</body>
</html>