Joe, Tim, I am seeing a strong interest in keystone federated identity support from customers. I was planning on submitting a keystone design summit session proposal on this topic where we could discuss the use cases and requirements that customers are bringing forward and make sure we get all the bases covered. Sounds like you are seeing interest in this as well.
Thanks, Brad Brad Topol, Ph.D. IBM Distinguished Engineer OpenStack (919) 543-0646 Internet: [email protected] Assistant: Cindy Willman (919) 268-5296 From: Joe Savak <[email protected]> To: Tim Bell <[email protected]>, "Miller, Mark M (EB SW Cloud - R&D - Corvallis)" <[email protected]>, Rok Kralj <[email protected]>, "[email protected]" <[email protected]> Date: 08/06/2013 04:06 PM Subject: Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..) If we allow Keystone to handle the identity federation (both with an incoming SAML to token exchange and an outgoing token to SAML exchange), then wouldn’t both GUI and CLI SSO be possible? See here for more information: https://blueprints.launchpad.net/keystone/+spec/virtual-idp And a pretty picture: https://wiki.openstack.org/wiki/File:Virtual_Identity_Providers.png Rok – thank you for starting this. I do think your GUI-SSO solution has benefits regardless of the language it uses. From: Tim Bell [mailto:[email protected]] Sent: Tuesday, August 06, 2013 1:05 PM To: Miller, Mark M (EB SW Cloud - R&D - Corvallis); Rok Kralj; [email protected] Subject: Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..) I would be very interested in a native SAML for single sign on implementation with Horizon login. This would mean Python rather than PHP along with potentially (I think) creating a situation where a user can use the Web GUI through single sign on but not able to use CLI. Depending on the use cases, this may not be an issue but as far as I understand, it is a limitation of the technology at present. Tim From: Miller, Mark M (EB SW Cloud - R&D - Corvallis) [ mailto:[email protected]] Sent: 06 August 2013 19:06 To: Rok Kralj; [email protected] Subject: Re: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..) How is this different than the new H-2 split backend functionality? From: Rok Kralj [mailto:[email protected]] Sent: Tuesday, August 06, 2013 5:38 AM To: [email protected] Subject: [Openstack] Openstack login via SimpleSamlPHP (LDAP, OAuth, OpenID, etc..) As far as I know, the ability to log in to OpenStack via arbitrary Identity Provider (IdP) is a widely desired feature. Therefore, we have decided to integrate Keystone & Horizon with Simple Saml PHP, since it provides a lot of AUTH sources (aka. IdPs), for example LDAP, database, facebook, etc... Check out our effort in this short video (40s): http://www.youtube.com/watch?v=qmJAumoh4U8 For more, the instructions and a short introduction is available in the attached readme.pdf. Feedback is really appreciated. _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
