[openstack-dev] How to single sign on with windows authentication with Keystone

Adam Young ayoung at redhat.com
Wed May 25 16:20:04 UTC 2016


On 05/25/2016 07:26 AM, OpenStack Mailing List Archive wrote:
> Link: https://openstack.nimeyo.com/85057/?show=85707#c85707
> From: imocha <Imocha at gmail.com>
>
> I am trying to follow the steps. I am able to install ADFS and would 
> like to proceed further.
>
> However, I am having issues with setting up SSL endpoints for Keystone 
> V3. I am using Mitaka. Is there any step that I can use.
>
> I am using packstack to install the Mitaka and wanted to enable SSL 
> for the identity endpoints to work with ADFS for SAML2 flow.
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
We went through a proof of concept for this last summer (FreeIPA and 
Ipsilon, not ADFS)


https://github.com/admiyo/rippowam

Right now I'm working on updating for Keycloak instead of Ipsilon.

The SSL stuff I would like to recommend using Certmonger to manage, but 
I don't know how to tie that in with the ADFS CA. We do it using IPA's 
CA.  You can set up a trust between IPA and and AD, which might be your 
easiest path forward.

With a trust, the Keystone server would be registered as a host on the 
FreeIPA server, but would accept Kerberos tickets from ADFS.  If you 
want to completely federate the two, you can do so as well, and then you 
do not  need the trust, you just let ADFS issue SAML.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160525/85ce3b1a/attachment.html>


More information about the OpenStack-dev mailing list