[Openstack-operators] [keystone] Federation, domain mappings and v3 policy.json

Marc Heckmann marc.heckmann at ubisoft.com
Mon Jun 13 23:08:28 UTC 2016


Hi,

I currently have a lab setup using SAML2 federation with Microsoft
ADFS. 

The federation part itself works wonderfully. However, I'm also trying
to use the new project as domains feature along with the Keystone v3
sample policy.json file for Keystone:

The idea is that I should be able to map users who are in a specific
group in Active Directory to the admin role in a specific domain. This
should work for Keystone with the sample v3 policy (let's ignore
problems with the admin role in other projects such as Nova). In this
case I'm using the new project as domains feature, but I suspect that
the problem would apply to regular domains as well.

The mapping works properly with the important caveat that the user
domain does not match the domain of the project(s) that I'm assigning
the admin role to. Users who come in from Federation always belong to
the "Federated" domain. This is the case even if I pre-create the users
locally in a specific domain. This breaks sample v3 policy.json because
the rules expect the user's domain to match the project's domain. 

Does anyone know if there is anyway to achieve what I'm trying to do
when using Federation?

Thanks in advance.

-m



More information about the OpenStack-operators mailing list