[openstack-dev] [Keystone][FFE] ECP wrapped assertions
marek.denis at cern.ch
Tue Mar 24 08:51:14 UTC 2015
I strongly support this request.
On 23.03.2015 22:42, Steve Martinelli wrote:
> I'd like to request an exemption for the following to go into the Kilo
> This work is crucial for:
> - Keystone to Keystone communication. An ECP wrapped SAML assertion
> will make it much easier for consumers and clients to use the K2K
> feature in Keystone. Currently, a client must take the generated SAML
> response and must prepare the ECP envelope themselves. This should be
> handled by Keystone, and not the clients. The client should be able to
> ask for the ECP wrapped assertion and hand it off to another Keystone.
> Why this needs an FFE?
> - To properly created an ECP wrapped a SAML assertion, a relay state
> property must be known, (as it's used to compute a value in an ECP
> specific field). This depends on how the service provider has their
> mod_shib configured. We will need to add a new property to the
> keystone resource 'service provider' - the spec change is here:
> Status of the work:
> - The patches necessary for this feature already and split into two
> patches. 1) To add a new relay_state_prefix property to the service
> provider resource: https://review.openstack.org/#/c/166078/and 2) to
> actually use this new property in order to generate the ECP assertion:
> Steve Martinelli
> OpenStack Keystone Core
OpenStack Keystone Core
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev