[openstack-dev] [Keystone] Alternative federation mapping

John Dennis jdennis at redhat.com
Sun Nov 2 17:29:37 UTC 2014

While working on federated authentication for a different project
(OpenDaylight) we discovered we needed to map from the assertion
provided by an external federated IdP to local values. This is
essentially the same requirement which exists in Keystone's federated
support. It was hoped we could simply borrow the Keystone mapping
implementation but it was found to be too limiting and not sufficiently
expressive. We could not find another alternative so we designed a new
mapper which is described in this PDF.


The mapper as described in the document has implementations in both Java
and Python. The Java implementation is currently in use in OpenDaylight
(a Java based project). For those interested I can provide a pointer to
OpenDaylight specific documentation on how this mapper is used in
conjunction with the Apache web server providing authentication and SSSD
providing identity attributes to a Java servlet container.

My goal here is to make Keystone developers aware of an alternative
mapper which may provide needed mapping features not currently available
and for which different language implementations already exist. Note,
the mapper is easily extended should a need arise.

Source code and documentation can be found here by cloning this git repo:

git clone git://fedorapeople.org/~jdennis/federated-mapping.git

Note, I put this git repo together quickly by pulling together things
from a variety of sources, as such there may be things needing to be
cleaned up in the repo, at the moment it's really just meant to browse.
Over the next few days I'll make sure everything builds and executes
cleanly. Posting this now in case folks want to have conversations at
the Paris Summit.


More information about the OpenStack-dev mailing list