[openstack-dev] [keystone] Single Sign On integration research

Kseniya Tychkova ktychkova at mirantis.com
Tue Mar 8 14:12:37 UTC 2016

as you may know currently Keystone supports Single Sign-On (SSO) and as I
think it is one of the most interesting features in Keystone.
I've done research on Single Sign-On in Keystone. Practically I just tried
to set up Keystone in 2 different configuration.
As a result of my research I have 2 blog posts and I would like to share
links with you:

*1. Keystone Service Provider with Shibboleth Identity Provider (WebSSO
( http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html )
Post describes how to step-by-step deploy Shibboleth Identity Provider with
Keystone Service Provider.
This configuration is interesting because you can easily replace Shibboleth
Identity Provider
with any other Identity Provider with SAML support.
So it is, I think, most popular use case for SSO in Keystone.

*2. How to setup Keystone with Shibboleth (ECP profile):
Post describes how to deploy Keystone Identity Provider with Keystone
Service Provider.
It is Keystone-to-Keystone configuration and it uses ECP profile (Enhanced
Client or Proxy) of SAML Protocol.
A lot of information for this post I took from rodrigods blog (

I hope my posts will help you to deploy/configure SSO or at least will be
interesting to take a look at SSO feature in Keystone.

Kind regards, Kseniya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160308/d3f8c36e/attachment.html>

More information about the OpenStack-dev mailing list