[openstack-dev] [Keystone][FFE] ECP wrapped assertions

Marek Denis marek.denis at cern.ch
Tue Mar 24 08:51:14 UTC 2015


I strongly support this request.

On 23.03.2015 22:42, Steve Martinelli wrote:
> I'd like to request an exemption for the following to go into the Kilo 
> release.
> This work is crucial for:
> -  Keystone to Keystone communication. An ECP wrapped SAML assertion 
> will make it much easier for consumers and clients to use the K2K 
> feature in Keystone. Currently, a client must take the generated SAML 
> response and must prepare the ECP envelope themselves. This should be 
> handled by Keystone, and not the clients. The client should be able to 
> ask for the ECP wrapped assertion and hand it off to another Keystone.
> Why this needs an FFE?
> - To properly created an ECP wrapped a SAML assertion, a relay state 
> property must be known, (as it's used to compute a value in an ECP 
> specific field). This depends on how the service provider has their 
> mod_shib configured. We will need to add a new property to the 
> keystone resource 'service provider' - the spec change is here: 
> https://review.openstack.org/#/c/166086/
> Status of the work:
> - The patches necessary for this feature already and split into two 
> patches. 1) To add a new relay_state_prefix property to the service 
> provider resource: https://review.openstack.org/#/c/166078/and 2) to 
> actually use this new property in order to generate the ECP assertion: 
> https://review.openstack.org/#/c/162866/
> Thanks,
> Steve Martinelli
> OpenStack Keystone Core

Marek Denis
OpenStack Keystone Core
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150324/71c45df8/attachment.html>

More information about the OpenStack-dev mailing list