Open Stack

On 11/14/2014 09:32 AM, Don Waterloo wrote:
> I have a system (juno/ubuntu 14.10) which currently has keystone as 
> the master of the
> universe for identity and authentication.
> By convention, each user of my system is also a tenant, which is my 
> intent to continue.
> My system is used by a combination of our team members, but also by 
> 3rd parties
> (e.g. we use it for training on our products).
>
> I would like to make our saml system authoritative for identity/auth 
> for the
> team members, but leave keystone authoritative for 3rd parties.
>
> Is there any documentation on someone who has such a system, or, is there
> any recommended best practises to follow?
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
So the intent is to split things up by domain.  I would say that your 
existing users should be in one domain (or multiple if they are 
already)  and Federated/SAML users would go into....limbo today, as 
federated users are kindof domainless.  I'd like to fix that (each IdP 
has a minimum of one domain).

The term "tenant" is kindof confusing here.  I think what you are saying 
is that each user of your system gets a default project autoprovisioned 
for them.  With Federation, you have to make sure you don't provision 
for users with Valid Federated Identities but no real relationship to 
your Cloud deployment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20141114/2087eccf/attachment.html>