[Openstack] Federated Identity And Identity Provider Specific WebSSO

Adam Young ayoung at redhat.com
Thu May 12 03:54:51 UTC 2016

On 05/11/2016 11:08 AM, schmitt wrote:
> Hi,
> I'm implementing the feature of "Identity Provider Specific WebSSO" on 
> according to the document:
> http://docs.openstack.org/developer/keystone/configure_federation.html.
> In the part of "Configure Apache to use a federation capable 
> authentication method",
> I choose Mellon protocol for federation authentication.
> When setting up mellon, according to the document:
> http://docs.openstack.org/developer/keystone/federation/mellon.html 
> <http://docs.openstack.org/developer/keystone/federation/mellon.html.>,
> there is a step, "wget --cacert /path/to/ca.crt -O 
> /etc/httpd/mellon/idp-metadata.xml https://idp.fqdn/idp/saml2/metadata".
> what's the meaning of 
> this parameter,“https://idp.fqdn/idp/saml2/metadata” 
> <https://idp.fqdn/idp/saml2/metadata%94.>

We went through a whole process to automate this, talking to the Ipsilon 
IdP. Documented in Ansible:


The steps specific to Mellon are here:


Ipsilon is Python, light weight, and in use by the Fedora team.

My team is currently working on getting Federation to work with 
Keycloak, but I don't have that wokring and documented yet. Keycloak is 
a very nice, full featured app, But Java and JBoss, which might work for 
some people and not for others.

> Also, which external identity provider should i choose.
> Could you please help me ?
> Best regards,
> schmitt
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160511/ce6267f9/attachment.html>

More information about the Openstack mailing list