SAML Logout Keystone Token Revocation Support

Registered by Brad Topol

Directories such as Microsoft AD are now supporting SAML logout (e.g. Sign-Out) protocol which enables an application to be notified by a directory when a user is logged out or otherwise removed. Keystone's federated identity support needs to be able to receive SAML logout notifications and convert these to keystone token revocations to close security holes that exist when an OpenStack user is removed from the identity provider (e.g. Microsoft AD or LDAP) but would still have access to an OpenStack infrastructure.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Not
Drafter:
Brad Topol
Direction:
Needs approval
Assignee:
None
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Dolph Mathews

Related branches

Sprints

Whiteboard

(morganfainberg): This sounds like a *great* idea to support. This will need a Spec and research as to how to support this notification.

(dolphm): We discussed this with Brad Topol at the Ocata summit in Barcelona and determined that (at this time, Oct 2016) this feature is not worth the cost of writing the additional data to keystone's backend during federated login required to later implement the logout & token revocation flow.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.