[openstack-dev] [openstack-ansible][keystone] Federation beyond Shibboleth

Jesse Pretorius jesse.pretorius at gmail.com
Tue Aug 11 10:21:20 UTC 2015


Hi everyone,

Yesterday we released implementing Keystone as a Federated Service Provider
as part of the openstack-ansible deployment tooling [1].

This is a starting implementation which was purposefully scoped to only use
Shibboleth and only support SAML2. The scope was limited due to the
complexity of getting it working in the first place, but also as this was
seen to be the use-case which would give the most value.

The implementation, however, was done in a manner which we believe is
reasonably extendable to accommodate other protocols including OpenID,
Kerberos, etc. It should also be reasonably easy to develop the Mellon SAML
implementation instead of the Shibboleth module, although I that would
probably be slightly more complex. Our spec [2] has already covered these
extensions, so all we'd need to do is define blueprints to cover them and
target them at specific milestones.

We'd like to ask whether others would be interested in diving in to
implement the additional protocols, to implement the alternative
mod_auth_mellon and also to apply other improvements as we roll on towards
the target of releasing liberty.

We're happy to work along side anyone who's not familiar with
openstack-ansible, or even ansible, to setup a test environment (this can
be done in about an hour) and to prepare a patch for review.

If you have any questions or comments, please feel free to contact me via
email or on IRC.

Best regards,

Jesse
IRC: odyssey4me

[1]
http://lists.openstack.org/pipermail/openstack-dev/2015-August/071748.html
[2]
https://github.com/stackforge/os-ansible-deployment-specs/blob/master/specs/kilo/keystone-federation.rst
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150811/e1c810e0/attachment.html>


More information about the OpenStack-dev mailing list