Dear all, I am interested to the integration of SAML with keystone and I am analysing the following blueprint and its implementation: https://blueprints.launchpad.net/keystone/+spec/saml-id https://review.openstack.org/#/c/71353/ Looking at the code there is something I cannot undertand. In the code it seems you will use apache httpd with mod_shib (or other alternatives) to parse saml assertion and the code inside keystone will read only the values extrapolated by the front-end server. If this is the case, it is not clear to me why you need to register the IdPs, with its certificate, in keystone using the new federation API. You can filter the IdP in the server so why do you need this extra list? What is the use of the IdP list and the certificate? Is still this implementation open to discussion or the design is frozen for the icehouse release? Thanks in advance, Marco -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5483 bytes Desc: not available URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140220/32723783/attachment.bin>