[Openstack] SAML support in OpenStack

Adam Young ayoung at redhat.com
Wed Oct 16 02:10:13 UTC 2013

On 10/14/2013 09:56 AM, Rok Kralj wrote:
> *Hello OpenStack community,*
> As you might remember, some time ago we had a quick discussion about 
> supporting the SAML 2.0 protocol for identity management in 
> federations as this is the protocol of big importance in business 
> enterprise. At first, the discussion gained a fair amount of interest. 
> Just to refresh our minds, here is the reference to the discussion on 
> the mailing list:
> http://lists.openstack.org/pipermail/openstack/2013-August/000401.html

This is not the first, nor is it the only time that SAML has been 
discussed.  There has been an ongoing effort toward a general approach 
toward Federation, with SAML being the dominant protocol in the 
space...but not the only one.

We have a Federated Identity BLueprint that we have been working on for 
a long time: https://blueprints.launchpad.net/keystone/+spec/federation

Note the dependency chart at the bottom:  we are not going to implement 
a SAML specific solution in a vacuum, but rather integrated into a 
general Federation approach.

The short of it is that a SAML assertion (or other document bearing 
Authorization attributes) will be mapped to as set of the objects we 
have in the Identity backend.  These will be mapped to "user has role in 
project" and similar authorization attributes just as the LDAP and SQL 
based backend are currently mapped.

There is mod_auth_saml and other Apache based modules that we can use 
for Native code.  We will not be supporting custom native code in 
Keystone, but we can make use of libraries that are in the major 
distributions.  I don't think mod_auth_saml currently meets the needs of 
Keystone, any more than mod_authN_ldap would, but it is a pointer in the 
right direction.

This discussion belongs on the opentack-dev, and not the general 
openstack ML.
> The initial manifesto 
> <https://blueprints.launchpad.net/keystone/+spec/virtual-idp> was 
> published by Joe Savak, however, it has been in a drafting stage for 
> quite some time now and we would like it to gain some traction on the 
> matter. Maybe this is the time to further discuss the overall 
> architecture 
> <https://wiki.openstack.org/wiki/File:Virtual_Identity_Providers.png>, 
> collecting as many opinions as possible.
> Our company (XLAB) has been working on an EU funded Contrail project. 
> Among other things, we have worked on the components providing 
> discussed mechanisms, just using different technologies 
> (SimpleSAMLphp, a mature SAML solution, also providing a plethora of 
> other bindings).
> We are willing to contribute our time and resources towards the 
> implementation of this functionality in Python if needed and working 
> with you on further extension of the idea. We are currently examining 
> these two SAML libraries that might suit our (OpenStack's) needs:
> http://lasso.entrouvert.org/ (GNU GPL)
> http://pythonhosted.org/authentic2/index.html (GNU AGPL 3)
> However, considering the fact they are not actively developed anymore 
> and are in fact, quite heavy dependencies with C backed, we might be 
> better off writing an own, custom solution, despite the needed effort 
> to achieve that.
> We are looking forward to your reply and to working with you,
> Rok Kralj, XLAB research, Slovenia
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131015/98f2556b/attachment.html>

More information about the Openstack mailing list