Keystone to Keystone federation

Registered by Joe Savak on 2014-05-14

CERN has one openstack cloud setup ("internal cloud") within their data center. They have the keystone sitting on top of an LDAP instance. They would like to burst cloud workload between multiple public cloud service providers ("CSP") should their internal cloud not have enough bandwidth or storage. They would like to provide seamless access for their internal cloud identities. Those identities currently use openstack clients (nova-client, keystone-client) and would like to continue to do so without many changes.
Flow:
a. AuthN against CERN keystone using my credentials
b. Get a token back with a service catalog showing CERN openstack services (nova, swift, etc) and the CSP service catalog
c. Attempt to use the token against CSP nova service
d. CSP nova service calls CSP keystone (no change)
e. CSP keystone deciphers the token belonging to the CERN keystone IdP (which it sees as being setup as a trusted identity provider with attribute mappings we need to use)
f. CSP keystone calls CERN keystone (SAML or other federation protocol request and negotiation)
g. CERN keystone shows CSP setup as a trusted service provider (with attribute mappings it should expect)
h. CERN Keystone returns back a SAML (or other federation protocol) assertion to CSP Keystone
i. CSP keystone deciphers the assertion and provisions a temporary user. The token is deemed valid and stored in CSP keystone for future validation calls until expiration

Blueprint information

Status:
Complete
Approver:
Dolph Mathews
Priority:
High
Drafter:
Joe Savak
Direction:
Needs approval
Assignee:
Marek Denis
Definition:
Approved
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon 2014.2
Started by
Dolph Mathews on 2014-07-29
Completed by
Dolph Mathews on 2014-09-06

Related branches

Sprints

Whiteboard

Currently blocked by openstack/requirements: https://review.openstack.org/#/c/113294/

There's two "primary" assignee fields in the spec, but I used marekd above because two of the four patches below are his.

Gerrit topic: https://review.openstack.org/#q,topic:bp/keystone-to-keystone-federation,n,z

Addressed by: https://review.openstack.org/100023 (spec, approved)
    Implements: blueprint keystone-to-keystone-federation

Gerrit topic: https://review.openstack.org/#q,topic:master,n,z

Addressed by: https://review.openstack.org/104623 (abandoned)
    Implement Service Providers API for OS-FEDERATION

Addressed by: https://review.openstack.org/104577 (merged)
    Add _BaseFederationExtension class

Addressed by: https://review.openstack.org/106935 (merged)
    Add a URL field to region table

Addressed by: https://review.openstack.org/110542
    Transform a Keystone token to a SAML assertion

Addressed by: https://review.openstack.org/114138
    Create SAML generation route and controller

Gerrit topic: https://review.openstack.org/#q,topic:k2k-idp-metadata,n,z

Addressed by: https://review.openstack.org/114850
    IdP SAML Metadata generator

Addressed by: https://review.openstack.org/115564
    Generate IdP Metadata with keystone-manage.

Addressed by: https://review.openstack.org/115883
    Routes for Keystone-IdP metadata endpoint.

Addressed by: https://review.openstack.org/116907
    Add libxmlsec1 as external package dependency on OS X

Addressed by: https://review.openstack.org/118272
    Fix minor nits for token2saml generation.

Addressed by: https://review.openstack.org/152046
    Create K2K SAML assertion from service provider.

(?)

Work Items

Work items:
Define/impl spec for adding and maintaining service providers. Likely similar to https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md: Joe: INPROGRESS
Define/impl spec for publishing services the local keystone has setup. (ex: "nova" at "https://nova.acme.com": TODO
Define/impl method for listening to foreign keystones (ex: beta-keystone supports "swift" at "https://swift.beta.com": TODO
Define/impl method of validating foreign tokens: TODO
Define/impl method of invalidating tokens across service providers: TODO