[openstack-dev] Keystone and Multiple Identity Sources
David Chadwick
d.w.chadwick at kent.ac.uk
Thu Sep 12 08:15:22 UTC 2013
On 11/09/2013 22:05, Adam Young wrote:
>>
>> What's the use case for including providers in the service catalog?
>> i.e. why do Identity API clients need to be aware of the Identity
>> Providers?
> In the federation protocol API, the user can specify the IdP that they
> are using. Keystone needs to know what are the set of acceptable IdPs,
> somehow. The first thought was reuse of the Service catalog.
> It probably makes sense to let an administrator enumerate the IdPs
> registered with Keystone, and what protocol each supports.
There are several reasons why Keystone needs to be aware of which IDPs
are out there.
1. Trust. Keystone administrators will only trust a subset of available
IDPs, and this information needs to be configured into Keystone in some way
2. Discovery. Keystone needs to be able to discover details of which
IDPs are trusted and how to contact them (meta data). This needs to be
configured into Keystone somehow
3. Helping the user. The user might needs to know which IdPs it can use
and which it cannot, so Keystone may need to provide the user with a
list of IdPs to choose from.
Using the service catalog to hold the above information was a pragmatic
implementation decision that Kent made. What is conceptually needed is a
directory service that Keystone can contact to find out the required
information. So we should design federated keystone to have a directory
service interface, and then implementors may choose to use the service
catalog or something else to fulfil this function
regards
David
More information about the OpenStack-dev
mailing list