Keystone Federation

Registered by Jesse Pretorius on 2015-06-22

Keystone provides the capability to be deployed in such a way that it can be an identity provider (IDP) and/or a resource service provider (SP). This blueprint covers the implementation of Keystone Federation such that two Keystone environments can provide identity and resources to each other.

Blueprint information

Status:
Complete
Approver:
None
Priority:
High
Drafter:
Jesse Pretorius
Direction:
Needs approval
Assignee:
Miguel Grinberg
Definition:
Approved
Series goal:
Accepted for kilo
Implementation:
Implemented
Milestone target:
milestone icon 11.1.0
Started by
Kevin Carter on 2015-07-16
Completed by
Jesse Pretorius on 2015-08-10

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:spec/keystonefed,n,z

Addressed by: https://review.openstack.org/194147
    Spec for keystone federation ansible deployment

Gerrit topic: https://review.openstack.org/#q,topic:bp/keystone-federation,n,z

Addressed by: https://review.openstack.org/194474
    Support SSL certs for Keystone

Gerrit topic: https://review.openstack.org/#q,topic:keystone-idp,n,z

Addressed by: https://review.openstack.org/194259
    [WIP] Keystone idp configuration

Gerrit topic: https://review.openstack.org/#q,topic:keystone-sp,n,z

Addressed by: https://review.openstack.org/194395
    [WIP] Keystone SP configuration

Gerrit topic: https://review.openstack.org/#q,topic:bug/1466827,n,z

Addressed by: https://review.openstack.org/196943
    Upgrade the Keystone library to use v3

Addressed by: https://review.openstack.org/197677
    [WIP] Add v3 calls for federation to keystone module

Addressed by: https://review.openstack.org/198957
    [WIP] SSL support for haproxy

Addressed by: https://review.openstack.org/199307
    Enable all services to use Keystone 'insecurely'

Addressed by: https://review.openstack.org/201070
    Enable all services to use Keystone 'insecurely'

Addressed by: https://review.openstack.org/201468
    SSL support for haproxy

Gerrit topic: https://review.openstack.org/#q,topic:bug/1472694,n,z

Addressed by: https://review.openstack.org/199730
    Add openstackclient to the keystone containers

Addressed by: https://review.openstack.org/202189
    Add openstackclient to the keystone containers

Addressed by: https://review.openstack.org/202242
    Upgrade the Keystone library to use v3

Addressed by: https://review.openstack.org/202243
    Add v3 calls for federation to keystone module

Addressed by: https://review.openstack.org/203859
    Wrapper script to perform K2K federated login

Addressed by: https://review.openstack.org/203736
    Add sample Keystone Federation SP configuration for ADFS

Addressed by: https://review.openstack.org/207386
    Keystone Federation Identity Provider Configuration

Addressed by: https://review.openstack.org/206575
    Enable Horizon to consume a Keystone v3 API endpoint

Addressed by: https://review.openstack.org/208012
    Enable Horizon to consume a Keystone v3 API endpoint

Addressed by: https://review.openstack.org/210628
    Keystone Federation Service Provider Configuration

Addressed by: https://review.openstack.org/210751
    Wrapper script to perform K2K federated login

Addressed by: https://review.openstack.org/210804
    Add sample Keystone Federation SP configuration for ADFS

Addressed by: https://review.openstack.org/214575
    Keystone SSL cert/key distribution and configuration

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.