plug federation mapping to external authentication
Keystone's external authentication mechanism can be used to extend keystone's auth capabilities with existing Apache auth mods, provided the user id found in the REMOTE_USER env variable exists in keystone's identity backend.
However, the Federation extension adds a mechanism allowing to map SAML assertions to a given user or a group, removing the need to provision the backend. This is SAML-centric and is only used with the saml2 auth method so far.
This mapping mechanism and the SAML auth endpoint in keystone could be modified to work with the external auth mechanism and not just SAML specifically. A typical mapping would look like this:
{
"mapping": {
"rules": [
{
],
]
}
]
}
}
And unscoped auth on the federation endpoint would look like this:
<token xmlns="http://
<extras/>
<methods>
<method>
</methods>
<user id="https%
<OS-FEDERATION>
<
<protocol id="user"/>
<groups>
<group id="8281a0ee259
</groups>
</OS-
</user>
</token>
This is probably related to this blueprint: https:/
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Matthieu Huin
- Direction:
- Needs approval
- Assignee:
- Matthieu Huin
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Morgan Fainberg
Related branches
Related bugs
Sprints
Whiteboard
(morganfainberg): This has been superseded by the actual Federation implementation (and improvement from icehouse -> juno).
WIP here: https:/
Notes (mostly how to use the WIP): https:/
Gerrit topic: https:/
Addressed by: https:/
PoC external auth using user mapping