[openstack-dev] [Keystone][FFE] ECP wrapped assertions

Steve Martinelli stevemar at ca.ibm.com
Mon Mar 23 21:42:24 UTC 2015

I'd like to request an exemption for the following to go into the Kilo 

This work is crucial for:
-  Keystone to Keystone communication. An ECP wrapped SAML assertion will 
make it much easier for consumers and clients to use the K2K feature in 
Keystone. Currently, a client must take the generated SAML response and 
must prepare the ECP envelope themselves. This should be handled by 
Keystone, and not the clients. The client should be able to ask for the 
ECP wrapped assertion and hand it off to another Keystone.

Why this needs an FFE?
- To properly created an ECP wrapped a SAML assertion, a relay state 
property must be known, (as it's used to compute a value in an ECP 
specific field). This depends on how the service provider has their 
mod_shib configured. We will need to add a new property to the keystone 
resource 'service provider' - the spec change is here: 

Status of the work:
- The patches necessary for this feature already and split into two 
patches. 1) To add a new relay_state_prefix property to the service 
provider resource: https://review.openstack.org/#/c/166078/ and 2) to 
actually use this new property in order to generate the ECP assertion: 


Steve Martinelli
OpenStack Keystone Core
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150323/d5c0241a/attachment.html>

More information about the OpenStack-dev mailing list