Keystone to Keystone federation

Registered by Joe Savak on 2014-05-14

CERN has one openstack cloud setup ("internal cloud") within their data center. They have the keystone sitting on top of an LDAP instance. They would like to burst cloud workload between multiple public cloud service providers ("CSP") should their internal cloud not have enough bandwidth or storage. They would like to provide seamless access for their internal cloud identities. Those identities currently use openstack clients (nova-client, keystone-client) and would like to continue to do so without many changes.
a. AuthN against CERN keystone using my credentials
b. Get a token back with a service catalog showing CERN openstack services (nova, swift, etc) and the CSP service catalog
c. Attempt to use the token against CSP nova service
d. CSP nova service calls CSP keystone (no change)
e. CSP keystone deciphers the token belonging to the CERN keystone IdP (which it sees as being setup as a trusted identity provider with attribute mappings we need to use)
f. CSP keystone calls CERN keystone (SAML or other federation protocol request and negotiation)
g. CERN keystone shows CSP setup as a trusted service provider (with attribute mappings it should expect)
h. CERN Keystone returns back a SAML (or other federation protocol) assertion to CSP Keystone
i. CSP keystone deciphers the assertion and provisions a temporary user. The token is deemed valid and stored in CSP keystone for future validation calls until expiration

Blueprint information

Dolph Mathews
Joe Savak
Needs approval
Marek Denis
Series goal:
Accepted for juno
Milestone target:
milestone icon 2014.2
Started by
Dolph Mathews on 2014-07-29
Completed by
Dolph Mathews on 2014-09-06

Related branches



Currently blocked by openstack/requirements:

There's two "primary" assignee fields in the spec, but I used marekd above because two of the four patches below are his.

Gerrit topic:,topic:bp/keystone-to-keystone-federation,n,z

Addressed by: (spec, approved)
    Implements: blueprint keystone-to-keystone-federation

Gerrit topic:,topic:master,n,z

Addressed by: (abandoned)
    Implement Service Providers API for OS-FEDERATION

Addressed by: (merged)
    Add _BaseFederationExtension class

Addressed by: (merged)
    Add a URL field to region table

Addressed by:
    Transform a Keystone token to a SAML assertion

Addressed by:
    Create SAML generation route and controller

Gerrit topic:,topic:k2k-idp-metadata,n,z

Addressed by:
    IdP SAML Metadata generator

Addressed by:
    Generate IdP Metadata with keystone-manage.

Addressed by:
    Routes for Keystone-IdP metadata endpoint.

Addressed by:
    Add libxmlsec1 as external package dependency on OS X

Addressed by:
    Fix minor nits for token2saml generation.

Addressed by:
    Create K2K SAML assertion from service provider.


Work Items

Work items:
Define/impl spec for adding and maintaining service providers. Likely similar to Joe: INPROGRESS
Define/impl spec for publishing services the local keystone has setup. (ex: "nova" at "": TODO
Define/impl method for listening to foreign keystones (ex: beta-keystone supports "swift" at "": TODO
Define/impl method of validating foreign tokens: TODO
Define/impl method of invalidating tokens across service providers: TODO