[Openstack] Keystone as Identity Provider or/and Service Provider

Alexis KOALLA alexis.koalla at orange.com
Thu Apr 16 09:26:33 UTC 2015 

HI Marek,
Thanks for your reply.
Here are the two uses cases I want to test

OS: Ubuntu 14.04 LTS/ Openstack Juno

Use Case # 1: . I aim to test  an OS-FEDERATION where a Keystone is 
acting  as a Service Provider(Ks-SP)  and a Shibboleth installation  
that is acting as an Identity Provider(IdP) .
                         When a user authentication is issued on the 
Ks-SP then the Ks-SP asks the IdP(Shibboleth) to identifty this user.
                         Once the user is correctly identified then a 
token is generated by the Ks-SP.  I tried to configure the shibboleth by 
following the tutos from openstack website but I still have issue with 
the metadata on the Service Provider.
                         Any advice or idea is welcome. I am sure there 
is something I 'm doing bad but where:-(


Use Case # 2: The second step will be testing a Keystone2Keystone 
authentication. One Keystone  acting as an Identity Provider(Ks-IdP) and 
the another one acting as a Service Provider(Ks-SP). But for this purpose
as I understood using Keystone as an IdP is not possible before the Kilo 
version. But this use case is not urgent for the moment.

Thanks
Regards
Alexis



Le 16/04/2015 08:44, Marek Denis a écrit :
> Hi Alexis,
>
>
> On 15.04.2015 14:34, Alexis KOALLA wrote:
>> Hi all,
>> I'm trying to confgure a Authentication Federarion using Keystone.
>> In the one hand I want Keystone to act as an Identity Provider for 
>> Authentication needs.
>> In the other and I want to configure another Keystone that acts as a 
>> Service Provider calling the Identity Provider above when an 
>> authentication is needed
>> I am tryning to use shibboleth but it seems I am doing something 
>> wrong because
>
> I think you missed the most crucial part of your message :-)
>
> Anyway, what's you business use case? What exactly do you want to 
> test? Is it Keystone2Keystone itself, or you want to test 
> OS-FEDERATION and simply use Keystone as Identity Provider because you 
> don't have any other Identity Provider working at the moment? Please 
> mind that Keystone is not (yet) a first class Identity Provider in the 
> saml/openid/federation understanding (it will not replace for instance 
> Shibboleth IdP and I doubt this is a goal).
>
>>
>> Anyone has experienced such kind of configuration with 
>> Keystone/shibboleth/Apache?
>>
>
> Probably, but we don't know what happened in your case :(
>
> Thanks,
>

More information about the Openstack mailing list