[openstack-dev] [Keystone] Alternative federation mapping
marek.denis at cern.ch
Sun Nov 2 20:55:15 UTC 2014
It indeed looks interesting and enhancing the mapping engine is on ours
to-do list for a long time. I'd be happy to talk this through during the
summit. Do you think you will be able to come for a Keystone
websso/federation Design Session on Wednesday at 16.30?
On 02.11.2014 18:29, John Dennis wrote:
> While working on federated authentication for a different project
> (OpenDaylight) we discovered we needed to map from the assertion
> provided by an external federated IdP to local values. This is
> essentially the same requirement which exists in Keystone's federated
> support. It was hoped we could simply borrow the Keystone mapping
> implementation but it was found to be too limiting and not sufficiently
> expressive. We could not find another alternative so we designed a new
> mapper which is described in this PDF.
> The mapper as described in the document has implementations in both Java
> and Python. The Java implementation is currently in use in OpenDaylight
> (a Java based project). For those interested I can provide a pointer to
> OpenDaylight specific documentation on how this mapper is used in
> conjunction with the Apache web server providing authentication and SSSD
> providing identity attributes to a Java servlet container.
> My goal here is to make Keystone developers aware of an alternative
> mapper which may provide needed mapping features not currently available
> and for which different language implementations already exist. Note,
> the mapper is easily extended should a need arise.
> Source code and documentation can be found here by cloning this git repo:
> git clone git://fedorapeople.org/~jdennis/federated-mapping.git
> Note, I put this git repo together quickly by pulling together things
> from a variety of sources, as such there may be things needing to be
> cleaned up in the repo, at the moment it's really just meant to browse.
> Over the next few days I'll make sure everything builds and executes
> cleanly. Posting this now in case folks want to have conversations at
> the Paris Summit.
More information about the OpenStack-dev