Keystone to Keystone federation
CERN has one openstack cloud setup ("internal cloud") within their data center. They have the keystone sitting on top of an LDAP instance. They would like to burst cloud workload between multiple public cloud service providers ("CSP") should their internal cloud not have enough bandwidth or storage. They would like to provide seamless access for their internal cloud identities. Those identities currently use openstack clients (nova-client, keystone-client) and would like to continue to do so without many changes.
Flow:
a. AuthN against CERN keystone using my credentials
b. Get a token back with a service catalog showing CERN openstack services (nova, swift, etc) and the CSP service catalog
c. Attempt to use the token against CSP nova service
d. CSP nova service calls CSP keystone (no change)
e. CSP keystone deciphers the token belonging to the CERN keystone IdP (which it sees as being setup as a trusted identity provider with attribute mappings we need to use)
f. CSP keystone calls CERN keystone (SAML or other federation protocol request and negotiation)
g. CERN keystone shows CSP setup as a trusted service provider (with attribute mappings it should expect)
h. CERN Keystone returns back a SAML (or other federation protocol) assertion to CSP Keystone
i. CSP keystone deciphers the assertion and provisions a temporary user. The token is deemed valid and stored in CSP keystone for future validation calls until expiration
Blueprint information
- Status:
- Complete
- Approver:
- Dolph Mathews
- Priority:
- High
- Drafter:
- Joe Savak
- Direction:
- Needs approval
- Assignee:
- Marek Denis
- Definition:
- Approved
- Series goal:
- Accepted for juno
- Implementation:
- Implemented
- Milestone target:
- 2014.2
- Started by
- Dolph Mathews
- Completed by
- Dolph Mathews
Related branches
Related bugs
Sprints
Whiteboard
Currently blocked by openstack/
There's two "primary" assignee fields in the spec, but I used marekd above because two of the four patches below are his.
Gerrit topic: https:/
Addressed by: https:/
Implements: blueprint keystone-
Gerrit topic: https:/
Addressed by: https:/
Implement Service Providers API for OS-FEDERATION
Addressed by: https:/
Add _BaseFederation
Addressed by: https:/
Add a URL field to region table
Addressed by: https:/
Transform a Keystone token to a SAML assertion
Addressed by: https:/
Create SAML generation route and controller
Gerrit topic: https:/
Addressed by: https:/
IdP SAML Metadata generator
Addressed by: https:/
Generate IdP Metadata with keystone-manage.
Addressed by: https:/
Routes for Keystone-IdP metadata endpoint.
Addressed by: https:/
Add libxmlsec1 as external package dependency on OS X
Addressed by: https:/
Fix minor nits for token2saml generation.
Addressed by: https:/
Create K2K SAML assertion from service provider.
Work Items
Work items:
Define/impl spec for adding and maintaining service providers. Likely similar to https:/
Define/impl spec for publishing services the local keystone has setup. (ex: "nova" at "https:/
Define/impl method for listening to foreign keystones (ex: beta-keystone supports "swift" at "https:/
Define/impl method of validating foreign tokens: TODO
Define/impl method of invalidating tokens across service providers: TODO