SAML Logout Keystone Token Revocation Support
Directories such as Microsoft AD are now supporting SAML logout (e.g. Sign-Out) protocol which enables an application to be notified by a directory when a user is logged out or otherwise removed. Keystone's federated identity support needs to be able to receive SAML logout notifications and convert these to keystone token revocations to close security holes that exist when an OpenStack user is removed from the identity provider (e.g. Microsoft AD or LDAP) but would still have access to an OpenStack infrastructure.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Not
- Drafter:
- Brad Topol
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- Obsolete
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by
- Dolph Mathews
Related branches
Related bugs
Sprints
Whiteboard
(morganfainberg): This sounds like a *great* idea to support. This will need a Spec and research as to how to support this notification.
(dolphm): We discussed this with Brad Topol at the Ocata summit in Barcelona and determined that (at this time, Oct 2016) this feature is not worth the cost of writing the additional data to keystone's backend during federated login required to later implement the logout & token revocation flow.