[openstack-dev] [Keystone] Alternative federation mapping

Marek Denis marek.denis at cern.ch
Sun Nov 2 20:55:15 UTC 2014

Hi John,

It indeed looks interesting and  enhancing the mapping engine is on ours 
to-do list for a long time. I'd be happy to talk this through during the 
summit. Do you think you will be able to come for a Keystone 
websso/federation Design Session on Wednesday at 16.30?



On 02.11.2014 18:29, John Dennis wrote:
> While working on federated authentication for a different project
> (OpenDaylight) we discovered we needed to map from the assertion
> provided by an external federated IdP to local values. This is
> essentially the same requirement which exists in Keystone's federated
> support. It was hoped we could simply borrow the Keystone mapping
> implementation but it was found to be too limiting and not sufficiently
> expressive. We could not find another alternative so we designed a new
> mapper which is described in this PDF.
> https://jdennis.fedorapeople.org/doc/mapping.pdf
> The mapper as described in the document has implementations in both Java
> and Python. The Java implementation is currently in use in OpenDaylight
> (a Java based project). For those interested I can provide a pointer to
> OpenDaylight specific documentation on how this mapper is used in
> conjunction with the Apache web server providing authentication and SSSD
> providing identity attributes to a Java servlet container.
> My goal here is to make Keystone developers aware of an alternative
> mapper which may provide needed mapping features not currently available
> and for which different language implementations already exist. Note,
> the mapper is easily extended should a need arise.
> Source code and documentation can be found here by cloning this git repo:
> git clone git://fedorapeople.org/~jdennis/federated-mapping.git
> Note, I put this git repo together quickly by pulling together things
> from a variety of sources, as such there may be things needing to be
> cleaned up in the repo, at the moment it's really just meant to browse.
> Over the next few days I'll make sure everything builds and executes
> cleanly. Posting this now in case folks want to have conversations at
> the Paris Summit.

More information about the OpenStack-dev mailing list