[openstack-dev] [Keystone] [Horizon] Federated Login

Dolph Mathews dolph.mathews at gmail.com
Wed Aug 5 17:36:48 UTC 2015


On Wed, Aug 5, 2015 at 5:39 AM, David Chadwick <d.w.chadwick at kent.ac.uk>
wrote:

>
>
> On 04/08/2015 18:59, Steve Martinelli wrote:
> > Right, but that API is/should be protected. If we want to list IdPs
> > *before* authenticating a user, we either need: 1) a new API for listing
> > public IdPs or 2) a new policy that doesn't protect that API.
>
> Hi Steve
>
> yes this was my understanding of the discussion that took place many
> months ago. I had assumed (wrongly) that something had been done about
> it, but I guess from your message that we are no further forward on this
> Actually 2) above might be better reworded as - a new policy/engine that
> allows public access to be a bona fide policy rule
>

The existing policy simply seems wrong. Why protect the list of IdPs?


>
> regards
>
> David
>
> >
> > Thanks,
> >
> > Steve Martinelli
> > OpenStack Keystone Core
> >
> > Inactive hide details for Lance Bragstad ---2015/08/04 01:49:29 PM---On
> > Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish <drfish at us.iLance Bragstad
> > ---2015/08/04 01:49:29 PM---On Tue, Aug 4, 2015 at 10:52 AM, Douglas
> > Fish <drfish at us.ibm.com> wrote: > Hi David,
> >
> > From: Lance Bragstad <lbragstad at gmail.com>
> > To: "OpenStack Development Mailing List (not for usage questions)"
> > <openstack-dev at lists.openstack.org>
> > Date: 2015/08/04 01:49 PM
> > Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
> >
> > ------------------------------------------------------------------------
> >
> >
> >
> >
> >
> > On Tue, Aug 4, 2015 at 10:52 AM, Douglas Fish <_drfish at us.ibm.com_
> > <mailto:drfish at us.ibm.com>> wrote:
> >
> >     Hi David,
> >
> >     This is a cool looking UI. I've made a minor comment on it in
> InVision.
> >
> >     I'm curious if this is an implementable idea - does keystone support
> >     large
> >     numbers of 3rd party idps? is there an API to retreive the list of
> >     idps or
> >     does this require carefully coordinated configuration between
> >     Horizon and
> >     Keystone so they both recognize the same list of idps?
> >
> >
> > There is an API call for getting a list of Identity Providers from
> Keystone
> >
> > _
> http://specs.openstack.org/openstack/keystone-specs/api/v3/identity-api-v3-os-federation-ext.html#list-identity-providers_
> >
> >
> >
> >     Doug Fish
> >
> >
> >     David Chadwick <_d.w.chadwick at kent.ac.uk_
> >     <mailto:d.w.chadwick at kent.ac.uk>> wrote on 08/01/2015 06:01:48 AM:
> >
> >     > From: David Chadwick <_d.w.chadwick at kent.ac.uk_
> >     <mailto:d.w.chadwick at kent.ac.uk>>
> >     > To: OpenStack Development Mailing List
> >     <_openstack-dev at lists.openstack.org_
> >     <mailto:openstack-dev at lists.openstack.org>>
> >     > Date: 08/01/2015 06:05 AM
> >     > Subject: [openstack-dev]  [Keystone] [Horizon] Federated Login
> >     >
> >     > Hi Everyone
> >     >
> >     > I have a student building a GUI for federated login with Horizon.
> The
> >     > interface supports both a drop down list of configured IDPs, and
> also
> >     > Type Ahead for massive federations with hundreds of IdPs.
> Screenshots
> >     > are visible in InVision here
> >     >
> >     > _https://invis.io/HQ3QN2123_
> >     >
> >     > All comments on the design are appreciated. You can make them
> directly
> >     > to the screens via InVision
> >     >
> >     > Regards
> >     >
> >     > David
> >     >
> >     >
> >     >
> >     >
> >
>  __________________________________________________________________________
> >     > OpenStack Development Mailing List (not for usage questions)
> >     > Unsubscribe:_
> >     __OpenStack-dev-request at lists.openstack.org?subject:unsubscribe_
> >     <
> http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
> >     > _
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
> >     >
> >
> >
> >
>  __________________________________________________________________________
> >     OpenStack Development Mailing List (not for usage questions)
> >     Unsubscribe:
> >     _OpenStack-dev-request at lists.openstack.org?subject:unsubscribe_
> >     <
> http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>_
> >     __http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev_
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> >
> >
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150805/05958670/attachment.html>


More information about the OpenStack-dev mailing list