plug federation mapping to external authentication

Registered by Matthieu Huin

Keystone's external authentication mechanism can be used to extend keystone's auth capabilities with existing Apache auth mods, provided the user id found in the REMOTE_USER env variable exists in keystone's identity backend.
However, the Federation extension adds a mechanism allowing to map SAML assertions to a given user or a group, removing the need to provision the backend. This is SAML-centric and is only used with the saml2 auth method so far.
This mapping mechanism and the SAML auth endpoint in keystone could be modified to work with the external auth mechanism and not just SAML specifically. A typical mapping would look like this:

{
"mapping": {
        "rules": [
            {
                "local":[
                    {
                        "user": {
                            "name": "{0}"
                        },
                        "group": {
                            "id": "8281a0ee25994ffa8b6a99d5426c3542"
                        }
                    }
                ],
                "remote": [
                    {
                        "type": "REMOTE_USER"
                    }
                ]
            }
        ]
    }
}

And unscoped auth on the federation endpoint would look like this:

<token xmlns="http://docs.openstack.org/identity/api/v3" issued_at="2014-04-30T05:53:39.212256Z" expires_at="2014-04-30T06:53:39.212224Z">
  <extras/>
  <methods>
    <method>external</method>
  </methods>
  <user id="https%3A//launchpad.net/%7Emhu-s" name="https://launchpad.net/~mhu-s">
    <OS-FEDERATION>
      <identity_provider id="launchpad"/>
      <protocol id="user"/>
      <groups>
        <group id="8281a0ee25994ffa8b6a99d5426c3542"/>
      </groups>
    </OS-FEDERATION>
  </user>
</token>

This is probably related to this blueprint: https://blueprints.launchpad.net/keystone/+spec/external-auth-plugins

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Matthieu Huin
Direction:
Needs approval
Assignee:
Matthieu Huin
Definition:
Superseded
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Morgan Fainberg

Related branches

Sprints

Whiteboard

(morganfainberg): This has been superseded by the actual Federation implementation (and improvement from icehouse -> juno).

WIP here: https://review.openstack.org/#/c/92079/

Notes (mostly how to use the WIP): https://etherpad.openstack.org/p/external-auth-federation-mapping

Gerrit topic: https://review.openstack.org/#q,topic:bp/external-auth-federation-mapping,n,z

Addressed by: https://review.openstack.org/92079
    PoC external auth using user mapping

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.