<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 10/14/2013 09:56 AM, Rok Kralj
wrote:<br>
</div>
<blockquote
cite="mid:CAMWF=HT_MVd7cZAgjR2bL-VTSgYftyVKQ2R3XJ1ThXR7uS-Q9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in"><b>Hello
OpenStack community,</b></p>
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in">As
you might remember, some time ago we had a quick discussion
about supporting the SAML 2.0 protocol for identity management
in federations as this is the protocol of big importance in
business enterprise. At first, the discussion gained a fair
amount of interest. Just to refresh our minds, here is the
reference to the discussion on the mailing list:</p>
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in"><a
moz-do-not-send="true"
href="http://lists.openstack.org/pipermail/openstack/2013-August/000401.html"
target="_blank">http://lists.openstack.org/pipermail/openstack/2013-August/000401.html</a></p>
</div>
</blockquote>
<br>
This is not the first, nor is it the only time that SAML has been
discussed. There has been an ongoing effort toward a general
approach toward Federation, with SAML being the dominant protocol in
the space...but not the only one. <br>
<br>
We have a Federated Identity BLueprint that we have been working on
for a long time:
<a class="moz-txt-link-freetext" href="https://blueprints.launchpad.net/keystone/+spec/federation">https://blueprints.launchpad.net/keystone/+spec/federation</a><br>
<br>
Note the dependency chart at the bottom: we are not going to
implement a SAML specific solution in a vacuum, but rather
integrated into a general Federation approach. <br>
<br>
The short of it is that a SAML assertion (or other document bearing
Authorization attributes) will be mapped to as set of the objects we
have in the Identity backend. These will be mapped to "user has
role in project" and similar authorization attributes just as the
LDAP and SQL based backend are currently mapped.<br>
<br>
There is mod_auth_saml and other Apache based modules that we can
use for Native code. We will not be supporting custom native code
in Keystone, but we can make use of libraries that are in the major
distributions. I don't think mod_auth_saml currently meets the
needs of Keystone, any more than mod_authN_ldap would, but it is a
pointer in the right direction.<br>
<br>
This discussion belongs on the opentack-dev, and not the general
openstack ML.<br>
<blockquote
cite="mid:CAMWF=HT_MVd7cZAgjR2bL-VTSgYftyVKQ2R3XJ1ThXR7uS-Q9g@mail.gmail.com"
type="cite">
<div dir="ltr">
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in">The <a
moz-do-not-send="true"
href="https://blueprints.launchpad.net/keystone/+spec/virtual-idp"
target="_blank">initial manifesto</a> was published by Joe
Savak, however, it has been in a drafting stage for quite some
time now and we would like it to gain some traction on the
matter. Maybe this is the time to further discuss the overall <a
moz-do-not-send="true"
href="https://wiki.openstack.org/wiki/File:Virtual_Identity_Providers.png"
target="_blank">architecture</a>, collecting as many
opinions as possible.</p>
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in">Our
company (XLAB) has been working on an EU funded Contrail
project. Among other things, we have worked on the components
providing discussed mechanisms, just using different
technologies (SimpleSAMLphp, a mature SAML solution, also
providing a plethora of other bindings).</p>
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in">We
are willing to contribute our time and resources towards the
implementation of this functionality in Python if needed and
working with you on further extension of the idea. We are
currently examining these two SAML libraries that might suit
our (OpenStack's) needs:</p>
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in"><a
moz-do-not-send="true" href="http://lasso.entrouvert.org/"
target="_blank">http://lasso.entrouvert.org/</a> (GNU GPL)</p>
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in">
<a moz-do-not-send="true"
href="http://pythonhosted.org/authentic2/index.html"
target="_blank">http://pythonhosted.org/authentic2/index.html</a> (GNU
AGPL 3)</p>
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in">However,
considering the fact they are not actively developed anymore
and are in fact, quite heavy dependencies with C backed, we
might be better off writing an own, custom solution, despite
the needed effort to achieve that.</p>
<p
style="font-family:arial,sans-serif;font-size:13px;margin-bottom:0in">We
are looking forward to your reply and to working with you,<br>
Rok Kralj, XLAB research, Slovenia</p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</body>
</html>