"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/source/admin/federation/configure_federation.rst" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

configure_federation.rst  (keystone-16.0.1):configure_federation.rst  (keystone-17.0.0)
skipping to change at line 114 skipping to change at line 114
Identity Provider, called the `entity ID` or the `remote ID`. For a SAML Identity Provider, called the `entity ID` or the `remote ID`. For a SAML
Identity Provider, it can found by querying its metadata endpoint: Identity Provider, it can found by querying its metadata endpoint:
.. code-block:: console .. code-block:: console
$ curl -s https://samltest.id/saml/idp | grep -o 'entityID=".*"' $ curl -s https://samltest.id/saml/idp | grep -o 'entityID=".*"'
entityID="https://samltest.id/saml/idp" entityID="https://samltest.id/saml/idp"
For an OpenID Connect IdP, it is the Identity Provider's Issuer Identifier. For an OpenID Connect IdP, it is the Identity Provider's Issuer Identifier.
A remote ID must be globally unique: two identity providers cannot be associated A remote ID must be globally unique: two identity providers cannot be associated
with the same remote ID. The remote ID will usually appear as a URN but but need with the same remote ID. The remote ID will usually appear as a URN but need
not be a resolvable URL. not be a resolvable URL.
The local name, called ``samltest`` in our example, is decided by you and will The local name, called ``samltest`` in our example, is decided by you and will
be used by the mapping and protocol, and later for authentication. be used by the mapping and protocol, and later for authentication.
.. note:: .. note::
An identity provider keystone object may have multiple ``remote-ids`` An identity provider keystone object may have multiple ``remote-ids``
specified, this allows the same *keystone* identity provider resource to be specified, this allows the same *keystone* identity provider resource to be
used with multiple external identity providers. For example, an identity used with multiple external identity providers. For example, an identity
skipping to change at line 145 skipping to change at line 145
Create a Mapping Create a Mapping
~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~
Next, create a mapping. A mapping is a set of rules that link the attributes of Next, create a mapping. A mapping is a set of rules that link the attributes of
a remote user to user properties that keystone understands. It is especially a remote user to user properties that keystone understands. It is especially
useful for granting remote users authorization to keystone resources, either by useful for granting remote users authorization to keystone resources, either by
associating them with a local keystone group and inheriting its role associating them with a local keystone group and inheriting its role
assignments, or dynamically provisioning projects within keystone based on these assignments, or dynamically provisioning projects within keystone based on these
rules. rules.
.. note::
By default, group memberships that a user gets from a mapping are only valid
for the duration of the token. It is possible to persist these groups
memberships for a limited period of time. To enable this, either
set the ``authorization_ttl` attribute of the identity provider, or the
``[federation] default_authorization_ttl`` in the keystone.conf file. This
value is in minutes, and will result in a lag from when a user is removed
from a group in the identity provider, and when that will happen in keystone.
Please consider your security requirements carefully.
An Identity Provider has exactly one mapping specified per protocol. An Identity Provider has exactly one mapping specified per protocol.
Mapping objects can be used multiple times by different combinations of Identity Mapping objects can be used multiple times by different combinations of Identity
Provider and Protocol. Provider and Protocol.
As a simple example, create a mapping with a single rule to map all remote users As a simple example, create a mapping with a single rule to map all remote users
to a local user in a single group in keystone: to a local user in a single group in keystone:
.. code-block:: console .. code-block:: console
$ cat > rules.json <<EOF $ cat > rules.json <<EOF
 End of changes. 2 change blocks. 
1 lines changed or deleted 12 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)