Open Stack

Joe,  Tim,

I am seeing a strong interest in keystone  federated identity support from 
customers.   I was planning on submitting a keystone design summit session 
proposal on this topic where we could discuss the use cases and 
requirements that customers are bringing forward and make sure we get all 
the bases covered.  Sounds like you are seeing interest in this as well.

Thanks,

Brad

Brad Topol, Ph.D.
IBM Distinguished Engineer
OpenStack
(919) 543-0646
Internet:  btopol at us.ibm.com
Assistant: Cindy Willman (919) 268-5296



From:   Joe Savak <joe.savak at RACKSPACE.COM>
To:     Tim Bell <Tim.Bell at cern.ch>, "Miller, Mark M (EB SW Cloud - R&D - 
Corvallis)" <mark.m.miller at hp.com>, Rok Kralj <os at rok-kralj.net>, 
"openstack at lists.openstack.org" <openstack at lists.openstack.org>
Date:   08/06/2013 04:06 PM
Subject:        Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, 
OAuth, OpenID, etc..)



If we allow Keystone to handle the identity federation (both with an 
incoming SAML to token exchange and an outgoing token to SAML exchange), 
then wouldn’t both GUI and CLI SSO be possible?
See here for more information:
https://blueprints.launchpad.net/keystone/+spec/virtual-idp
 
And a pretty picture:
https://wiki.openstack.org/wiki/File:Virtual_Identity_Providers.png
 
Rok – thank you for starting this. I do think your GUI-SSO solution has 
benefits regardless of the language it uses.
 
From: Tim Bell [mailto:Tim.Bell at cern.ch] 
Sent: Tuesday, August 06, 2013 1:05 PM
To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); Rok Kralj; 
openstack at lists.openstack.org
Subject: Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, 
OpenID, etc..)
 
 
I would be very interested in a native SAML for single sign on 
implementation with Horizon login. This would mean Python rather than PHP 
along with potentially (I think) creating a situation where a user can use 
the Web GUI through single sign on but not able to use CLI. 
 
Depending on the use cases, this may not be an issue but as far as I 
understand, it is a limitation of the technology at present.
 
Tim
 
 
 
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) [
mailto:mark.m.miller at hp.com] 
Sent: 06 August 2013 19:06
To: Rok Kralj; openstack at lists.openstack.org
Subject: Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, 
OpenID, etc..)
 
How is this different than the new H-2 split backend functionality?
 
From: Rok Kralj [mailto:os at rok-kralj.net] 
Sent: Tuesday, August 06, 2013 5:38 AM
To: openstack at lists.openstack.org
Subject: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, 
OpenID, etc..)
 
As far as I know, the ability to log in to OpenStack via arbitrary 
Identity Provider (IdP) is a widely desired feature. Therefore, we have 
decided to integrate Keystone & Horizon with Simple Saml PHP, since it 
provides a lot of AUTH sources (aka. IdPs), for example LDAP, database, 
facebook, etc... Check out our effort in this short video (40s):
 
http://www.youtube.com/watch?v=qmJAumoh4U8
 
For more, the instructions and a short introduction is available in the 
attached readme.pdf.
 
Feedback is really appreciated.
_______________________________________________
Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130807/112578d9/attachment.html>