[openstack-dev] [Keystone][FFE] ECP wrapped assertions
Steve Martinelli
stevemar at ca.ibm.com
Mon Mar 23 21:42:24 UTC 2015
I'd like to request an exemption for the following to go into the Kilo
release.
This work is crucial for:
- Keystone to Keystone communication. An ECP wrapped SAML assertion will
make it much easier for consumers and clients to use the K2K feature in
Keystone. Currently, a client must take the generated SAML response and
must prepare the ECP envelope themselves. This should be handled by
Keystone, and not the clients. The client should be able to ask for the
ECP wrapped assertion and hand it off to another Keystone.
Why this needs an FFE?
- To properly created an ECP wrapped a SAML assertion, a relay state
property must be known, (as it's used to compute a value in an ECP
specific field). This depends on how the service provider has their
mod_shib configured. We will need to add a new property to the keystone
resource 'service provider' - the spec change is here:
https://review.openstack.org/#/c/166086/
Status of the work:
- The patches necessary for this feature already and split into two
patches. 1) To add a new relay_state_prefix property to the service
provider resource: https://review.openstack.org/#/c/166078/ and 2) to
actually use this new property in order to generate the ECP assertion:
https://review.openstack.org/#/c/162866/
Thanks,
Steve Martinelli
OpenStack Keystone Core
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150323/d5c0241a/attachment.html>
More information about the OpenStack-dev
mailing list