[Openstack] best practise to add SAML into keystone deployment and keep local auth?
Don Waterloo
don.waterloo at gmail.com
Fri Nov 14 15:13:11 UTC 2014
On 14 November 2014 10:05, Matthieu Huin <matthieu.huin at enovance.com> wrote:
> Hello Don,
>
> Federation and regular auth are distinct and can coexist. Furthermore,
> you'll need to specify the auth
> method when you're using openstackclient (or the auth plugin if you are
> using the keystoneclient library)
> so your users will take different paths depending on how they need to
> authenticate anyway.
> You might even define your federation mapping so that the users from your
> saml system get mapped to
> existing keystone users. I believe it is what you will have to do if you
> want to keep your user = tenant
> relationship.
>
>
Thanks for the info.
How would I specify the auth method from e.g. the CLI?
so e.g. using 'nova' command line client, i don't thnk its 'os-auth-system'
which is currently keystone, but maybe that's what it is?
i see some of this in e.g.
https://github.com/openstack/python-novaclient/blob/master/novaclient/auth_plugin.py
but i'm not sure what that would translate to on the CLI.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20141114/d8fa4da1/attachment.html>
More information about the Openstack
mailing list