Re: [openstack-dev] [keystone] multiple federated keystones with single Identity Provider

2017-12-12 Thread Adrian Turjak
On 08/12/17 11:47, Lance Bragstad wrote: > > On 12/07/2017 12:27 PM, Colleen Murphy wrote: >> On Thu, Dec 7, 2017 at 5:37 PM, Pavlo Shchelokovskyy >> wrote: >>> Hi all, >>> >>> We have a following use case - several independent keystones (say KeyA and >>> KeyB),

Re: [openstack-dev] [keystone] multiple federated keystones with single Identity Provider

2017-12-08 Thread Adam Heczko
Hi Pavlo, I think that there are viable alternatives to your specific use case having single external idp for federated auth. Depending on your IT environment architecture and preferences you have the following possibilities, both of them are providing very smooth user experience: - in AD centric

Re: [openstack-dev] [keystone] multiple federated keystones with single Identity Provider

2017-12-07 Thread Boris Bobrov
Hi, > On 12/07/2017 12:27 PM, Colleen Murphy wrote: >> On Thu, Dec 7, 2017 at 5:37 PM, Pavlo Shchelokovskyy >> wrote: >>> Hi all, >>> >>> We have a following use case - several independent keystones (say KeyA and >>> KeyB), using fernet tokens and synchronized

Re: [openstack-dev] [keystone] multiple federated keystones with single Identity Provider

2017-12-07 Thread Lance Bragstad
On 12/07/2017 12:27 PM, Colleen Murphy wrote: > On Thu, Dec 7, 2017 at 5:37 PM, Pavlo Shchelokovskyy > wrote: >> Hi all, >> >> We have a following use case - several independent keystones (say KeyA and >> KeyB), using fernet tokens and synchronized fernet keys, and

Re: [openstack-dev] [keystone] multiple federated keystones with single Identity Provider

2017-12-07 Thread Colleen Murphy
On Thu, Dec 7, 2017 at 5:37 PM, Pavlo Shchelokovskyy wrote: > Hi all, > > We have a following use case - several independent keystones (say KeyA and > KeyB), using fernet tokens and synchronized fernet keys, and single external > IdP for federated auth. > > Is it

Re: [openstack-dev] [keystone] multiple federated keystones with single Identity Provider

2017-12-07 Thread Кирилл Беспалов
Hi, Pavlo. Looks like it's not just project/domain UUID should be equal, but also audit_id, endpoints_id, protocol_id, roles_id and many other entities. So, looks like it is not possible to implement this using current code base, but I could be wrong. You can take a look at mapped auth plugin

[openstack-dev] [keystone] multiple federated keystones with single Identity Provider

2017-12-07 Thread Pavlo Shchelokovskyy
Hi all, We have a following use case - several independent keystones (say KeyA and KeyB), using fernet tokens and synchronized fernet keys, and single external IdP for federated auth. Is it generally possible to configure both KeyA and KeyB such that scoped token issued by KeyA for a federated