The mapping is one to one. You will not be able to easily map N domains that come as attributes from the IdP to a user in Keystone via the current identity federation implementation. We started an initiative to make that more flexible, but the specs were never accepted. You can see specs [1] and [2]. The spec [1] is not about this per se, but it is the base to enable us to better evolve the attribute mapping process without causing backwards impacts. However, it was never accepted. Also, the spec [2] is something that we did to achieve what you want with the domain, but applied at a project level. Therefore, if we had those in, it would be easy to expand to other use cases, such as the one you are describing.

[1] https://review.opendev.org/c/openstack/keystone-specs/+/748042?usp=search

[2] https://review.opendev.org/c/openstack/keystone-specs/+/748748?usp=search

On Tue, Jul 11, 2023 at 10:26 PM James Leong <jamesleong123098@gmail.com> wrote:

Hi all,

I have yoga version openstack with the deployment tool of kolla-ansible. I am trying to combine different mapping rules such as allowing user to login to different domain. However, I am not able to do that in a single JSON file. When I try to include different rule in the same JSON file, only the first rule is being considered. Is there a way to allow multiple rule to redirect user to their account in a different domain.

Best,

James

--

Rafael Weingärtner