[openstack-dev] [Keystone] [Horizon] Federated Login

Jesse Pretorius jesse.pretorius at gmail.com
Tue Aug 11 09:55:31 UTC 2015


On 6 August 2015 at 10:02, David Chadwick <d.w.chadwick at kent.ac.uk> wrote:

>
> this is a value judgement that admins take. I think we should allow this
> to be configurable, by either improving the policy engine to allow a
> public access rule (coarse grained), or adding a public/private flag to
> each configured IdP (fine grained)
>

Perhaps an idea which could evolve this and keep the settings in keystone
instead of splitting them between two projects:

1. Have the list of trusted dashboards be set per IDP - this would allow
that dashboard to list that IDP.
2. If an IDP does not have any trusted dashboards listed, then assume that
it's public and fall back to the defaults set in keystone.conf
3. Also enable the policies suggested by David above in order to cover API
security needs. Perhaps there needs to be some other sort of way of doing
fine-grained protection of information here?

This would mean that Coke's dashboard would not be able to list Pepsi's IDP
at all.

The trouble with allowing just a public flag on the IDP list is that
someone in Coke could still type other letters and see the list of other
providers, including Pepsi. Just a public/private flag is not good enough.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150811/d8a1194f/attachment.html>


More information about the OpenStack-dev mailing list