[Openstack-operators] [keystone] Federation, domain mappings and v3 policy.json

Adam Young ayoung at redhat.com
Tue Jun 14 02:12:51 UTC 2016


On 06/13/2016 07:08 PM, Marc Heckmann wrote:
> Hi,
>
> I currently have a lab setup using SAML2 federation with Microsoft
> ADFS.
>
> The federation part itself works wonderfully. However, I'm also trying
> to use the new project as domains feature along with the Keystone v3
> sample policy.json file for Keystone:
>
> The idea is that I should be able to map users who are in a specific
> group in Active Directory to the admin role in a specific domain. This
> should work for Keystone with the sample v3 policy (let's ignore
> problems with the admin role in other projects such as Nova). In this
> case I'm using the new project as domains feature, but I suspect that
> the problem would apply to regular domains as well.
>
> The mapping works properly with the important caveat that the user
> domain does not match the domain of the project(s) that I'm assigning
> the admin role to. Users who come in from Federation always belong to
> the "Federated" domain. This is the case even if I pre-create the users
> locally in a specific domain. This breaks sample v3 policy.json because
> the rules expect the user's domain to match the project's domain.
>
> Does anyone know if there is anyway to achieve what I'm trying to do
> when using Federation?

Can you post your mapping file?  Might be easier to tell from that what 
you are trying to do?

>
> Thanks in advance.
>
> -m
>
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators





More information about the OpenStack-operators mailing list