[openstack-dev] How to single sign on with windows authentication with Keystone
ayoung at redhat.com
Wed May 25 16:20:04 UTC 2016
On 05/25/2016 07:26 AM, OpenStack Mailing List Archive wrote:
> Link: https://openstack.nimeyo.com/85057/?show=85707#c85707
> From: imocha <Imocha at gmail.com>
> I am trying to follow the steps. I am able to install ADFS and would
> like to proceed further.
> However, I am having issues with setting up SSL endpoints for Keystone
> V3. I am using Mitaka. Is there any step that I can use.
> I am using packstack to install the Mitaka and wanted to enable SSL
> for the identity endpoints to work with ADFS for SAML2 flow.
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
We went through a proof of concept for this last summer (FreeIPA and
Ipsilon, not ADFS)
Right now I'm working on updating for Keycloak instead of Ipsilon.
The SSL stuff I would like to recommend using Certmonger to manage, but
I don't know how to tie that in with the ADFS CA. We do it using IPA's
CA. You can set up a trust between IPA and and AD, which might be your
easiest path forward.
With a trust, the Keystone server would be registered as a host on the
FreeIPA server, but would accept Kerberos tickets from ADFS. If you
want to completely federate the two, you can do so as well, and then you
do not need the trust, you just let ADFS issue SAML.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev