[Openstack] Keystone as Identity Provider or/and Service Provider
Alexis KOALLA
alexis.koalla at orange.com
Thu Apr 16 09:26:33 UTC 2015
HI Marek,
Thanks for your reply.
Here are the two uses cases I want to test
OS: Ubuntu 14.04 LTS/ Openstack Juno
Use Case # 1: . I aim to test an OS-FEDERATION where a Keystone is
acting as a Service Provider(Ks-SP) and a Shibboleth installation
that is acting as an Identity Provider(IdP) .
When a user authentication is issued on the
Ks-SP then the Ks-SP asks the IdP(Shibboleth) to identifty this user.
Once the user is correctly identified then a
token is generated by the Ks-SP. I tried to configure the shibboleth by
following the tutos from openstack website but I still have issue with
the metadata on the Service Provider.
Any advice or idea is welcome. I am sure there
is something I 'm doing bad but where:-(
Use Case # 2: The second step will be testing a Keystone2Keystone
authentication. One Keystone acting as an Identity Provider(Ks-IdP) and
the another one acting as a Service Provider(Ks-SP). But for this purpose
as I understood using Keystone as an IdP is not possible before the Kilo
version. But this use case is not urgent for the moment.
Thanks
Regards
Alexis
Le 16/04/2015 08:44, Marek Denis a écrit :
> Hi Alexis,
>
>
> On 15.04.2015 14:34, Alexis KOALLA wrote:
>> Hi all,
>> I'm trying to confgure a Authentication Federarion using Keystone.
>> In the one hand I want Keystone to act as an Identity Provider for
>> Authentication needs.
>> In the other and I want to configure another Keystone that acts as a
>> Service Provider calling the Identity Provider above when an
>> authentication is needed
>> I am tryning to use shibboleth but it seems I am doing something
>> wrong because
>
> I think you missed the most crucial part of your message :-)
>
> Anyway, what's you business use case? What exactly do you want to
> test? Is it Keystone2Keystone itself, or you want to test
> OS-FEDERATION and simply use Keystone as Identity Provider because you
> don't have any other Identity Provider working at the moment? Please
> mind that Keystone is not (yet) a first class Identity Provider in the
> saml/openid/federation understanding (it will not replace for instance
> Shibboleth IdP and I doubt this is a goal).
>
>>
>> Anyone has experienced such kind of configuration with
>> Keystone/shibboleth/Apache?
>>
>
> Probably, but we don't know what happened in your case :(
>
> Thanks,
>
More information about the Openstack
mailing list