Open Stack

Thanks for the explanation. I was thinking to make the domain name as part
of the oidc-organization, so it would map to the domain dynamically.

Best,
James

On Wed, 12 Jul 2023, 11:51 am Rafael Weingärtner, <
rafaelweingartner at gmail.com> wrote:

> The mapping is one to one. You will not be able to easily map N domains
> that come as attributes from the IdP to a user in Keystone via the current
> identity federation implementation. We started an initiative to make that
> more flexible, but the specs were never accepted. You can see specs [1] and
> [2]. The spec [1] is not about this per se, but it is the base to enable us
> to better evolve the attribute mapping process without causing backwards
> impacts. However, it was never accepted. Also, the spec [2] is something
> that we did to achieve what you want with the domain, but applied at a
> project level. Therefore, if we had those in, it would be easy to expand to
> other use cases, such as the one you are describing.
>
> [1]
> https://review.opendev.org/c/openstack/keystone-specs/+/748042?usp=search
> [2]
> https://review.opendev.org/c/openstack/keystone-specs/+/748748?usp=search
>
> On Tue, Jul 11, 2023 at 10:26 PM James Leong <jamesleong123098 at gmail.com>
> wrote:
>
>> Hi all,
>>
>> I have yoga version openstack with the deployment tool of kolla-ansible.
>> I am trying to combine different mapping rules such as allowing user to
>> login to different domain. However, I am not able to do that in a single
>> JSON file. When I try to include different rule in the same JSON file, only
>> the first rule is being considered. Is there a way to allow multiple rule
>> to redirect user to their account in a different domain.
>>
>> Best,
>> James
>>
>
>
> --
> Rafael Weingärtner
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230712/2fc79ad7/attachment.htm>