With https://review.openstack.org/#/c/399684/ implemented, this should no longer be an issue. Federated users should resolve to a domain, and in the default case, the domain of the identity provider. This is the behavior as of the Ocata release.
** Changed in: keystone Status: In Progress => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1645910 Title: Trust creation for SSO users fails in assert_user_enabled Status in OpenStack Identity (keystone): Invalid Bug description: Openstack version: Mitaka Operation: Heat stack/trust creation for SSO users For SSO users, keystone trust creation workflow fails while asserting that the user is enabled. The assert_user_enabled() function in keystone/identity/core.py fails at the below line: self.resource_api.assert_domain_enabled(user['domain_id']) Since user['domain_id'] throws a KeyError for federated users, this function raises an exception. To avoid this failure, we should invoke assert_domain_enabled() check conditionally only for local users. Proposing to add a 'is_local' user flag to distinguish between local and federated users so that we can conditionally assert the user domain and do other such things. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1645910/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp