<div dir="ltr">Yes, it makes sense. However, it would work only for single domain mapping. If you need something more dynamic, then with the current implementation that is not possible.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jul 12, 2023 at 7:03 PM James Leong <<a href="mailto:jamesleong123098@gmail.com">jamesleong123098@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Thanks for the explanation. I was thinking to make the domain name as part of the oidc-organization, so it would map to the domain dynamically. <div dir="auto"><br></div><div dir="auto">Best,</div><div dir="auto">James</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 12 Jul 2023, 11:51 am Rafael Weingärtner, <<a href="mailto:rafaelweingartner@gmail.com" target="_blank">rafaelweingartner@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>The mapping is one to one. You will not be able to easily map N domains that come as attributes from the IdP to a user in Keystone via the current identity federation implementation. We started an initiative to make that more flexible, but the specs were never accepted. You can see specs [1] and [2]. The spec [1] is not about this per se, but it is the base to enable us to better evolve the attribute mapping process without causing backwards impacts. However, it was never accepted. Also, the spec [2] is something that we did to achieve what you want with the domain, but applied at a project level. Therefore, if we had those in, it would be easy to expand to other use cases, such as the one you are describing.<br></div><div><br></div><div>[1] <a href="https://review.opendev.org/c/openstack/keystone-specs/+/748042?usp=search" rel="noreferrer" target="_blank">https://review.opendev.org/c/openstack/keystone-specs/+/748042?usp=search</a></div><div>[2] <a href="https://review.opendev.org/c/openstack/keystone-specs/+/748748?usp=search" rel="noreferrer" target="_blank">https://review.opendev.org/c/openstack/keystone-specs/+/748748?usp=search</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 11, 2023 at 10:26 PM James Leong <<a href="mailto:jamesleong123098@gmail.com" rel="noreferrer" target="_blank">jamesleong123098@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Hi all,<div dir="auto"><br></div><div dir="auto">I have yoga version openstack with the deployment tool of kolla-ansible. I am trying to combine different mapping rules such as allowing user to login to different domain. However, I am not able to do that in a single JSON file. When I try to include different rule in the same JSON file, only the first rule is being considered. Is there a way to allow multiple rule to redirect user to their account in a different domain.</div><div dir="auto"><br></div><div dir="auto">Best,</div><div dir="auto">James</div></div>
</blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr">Rafael Weingärtner</div></div>
</blockquote></div>
</blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr">Rafael Weingärtner</div></div>