"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/source/admin/federation/introduction.rst" between
keystone-15.0.0.tar.gz and keystone-15.0.1.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Stein" series (maintained release).

introduction.rst  (keystone-15.0.0):introduction.rst  (keystone-15.0.1)
skipping to change at line 17 skipping to change at line 17
a copy of the License at a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations License for the specific language governing permissions and limitations
under the License. under the License.
.. _federation_introduction:
Introduction to Keystone Federation Introduction to Keystone Federation
=================================== ===================================
---------------------------- ----------------------------
What is keystone federation? What is keystone federation?
---------------------------- ----------------------------
Identity federation is the ability to share identity information across multiple Identity federation is the ability to share identity information across multiple
identity management systems. In keystone, this is implemented as an identity management systems. In keystone, this is implemented as an
authentication method that allows users to authenticate directly with another authentication method that allows users to authenticate directly with another
identity source and then provides keystone with a set of user attributes. This identity source and then provides keystone with a set of user attributes. This
is useful if your organization already has a primary identity source since it is useful if your organization already has a primary identity source since it
means users don't need a separate set of credentials for the cloud. It is also means users don't need a separate set of credentials for the cloud. It is also
useful for connecting multiple clouds together, as we can use a keystone in useful for connecting multiple clouds together, as we can use a keystone in
another cloud as an identity source. Using `LDAP as an identity backend`_ is another cloud as an identity source. Using :ref:`LDAP as an identity
backend <integrate_with_ldap>` is
another way for keystone to obtain identity information from an external source, another way for keystone to obtain identity information from an external source,
but it requires keystone to handle passwords directly rather than offloading but it requires keystone to handle passwords directly rather than offloading
authentication to the external source. authentication to the external source.
Keystone supports two configuration models for federated identity. The most Keystone supports two configuration models for federated identity. The most
common configuration is with `keystone as a Service Provider (SP)`_, using an common configuration is with :ref:`keystone as a Service Provider (SP)
<keystone-as-sp>`, using an
external Identity Provider, such as a Keycloak or Google, as the identity source external Identity Provider, such as a Keycloak or Google, as the identity source
and authentication method. The second type of configuration is "`Keystone to and authentication method. The second type of configuration is
Keystone`_", where two keystones are linked with one acting as the identity ":ref:`Keystone to Keystone <keystone_as_idp>`", where two keystones
source. are linked with one acting as the identity source.
This document discusses identity federation involving a secondary identity This document discusses identity federation involving a secondary identity
management that acts as the source of truth concerning the users it contains, management that acts as the source of truth concerning the users it contains,
specifically covering the SAML2.0 and OpenID Connect protocols, although specifically covering the SAML2.0 and OpenID Connect protocols, although
keystone can work with other protocols. A similar concept is `external keystone can work with other protocols. A similar concept is :doc:`external
authentication`_ whereby keystone is still the source of truth about its users authentication </admin/external-authentication>` whereby keystone is
still the source of truth about its users
but authentication is handled externally. Yet another closely related topic is but authentication is handled externally. Yet another closely related topic is
`tokenless authentication`_ which uses some of the same constructs as described :doc:`tokenless authentication </admin/configure_tokenless_x509>`
which uses some of the same constructs as described
here but allows services to validate users without using keystone tokens. here but allows services to validate users without using keystone tokens.
.. _LDAP as an identity backend: ../../admin/identity-integrate-with-ldap.html
.. _keystone as a Service Provider (SP): configure_federation.html#keystone-as-a
-service-provider-sp
.. _Keystone to Keystone: configure_federation.html#keystone-as-an-identity-prov
ider-idp
.. _external authentication: ../external-authentication.html
.. _tokenless authentication: ../configure_tokenless_x509.html
-------- --------
Glossary Glossary
-------- --------
**Service Provider (SP)** **Service Provider (SP)**
A Service Provider is the service providing the resource an end-user is A Service Provider is the service providing the resource an end-user is
requesting. In our case, this is keystone, which provides keystone tokens that requesting. In our case, this is keystone, which provides keystone tokens that
we use on other OpenStack services. We do NOT call the other OpenStack we use on other OpenStack services. We do NOT call the other OpenStack
services "service providers". The specific service we care about in this services "service providers". The specific service we care about in this
context is the token service, so that is our Service Provider. context is the token service, so that is our Service Provider.
 End of changes. 7 change blocks. 
16 lines changed or deleted 14 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)