OpenStack Identity (keystone)

keystone and saml, shibboleth

Asked by Dawid

Short question - is it possible to support shibboleth in keystone somehow?
If not - what should be done in short to add this somehow if we would like to implement such functionality.
Is there any document describing how to extend keystone with other authentication/authorization technologies?
Or maybe do you plan to add this? If yes then when it is expected?

Best regards,
Dawid Szejnfeld

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Joseph Heck (heckj) said : 		#1

Hey Dawid,

It's totally possible - the internal design of keystone (http://keystone.openstack.org/architecture.html) is set around having configurable backends for each of the core components within Keystone. There's an abstract base class in each of those internal services (identity, token, catalog, etc) that you can subclass and create your own configurable backend to any existing system.

For identity, take a look at the class Driver in keystone.identity.core.py. You can see how we've done it for some of the simple backends in keystone/identity/backends/*

Revision history for this message
PasqualeNotarangelo (pasquale-notarangelo) said : 		#2

Hy,
i am interested to make an authentication module on Keystone using SAML2.

I read that havana-2 will have the saml2 module.
This news is true?
How can use this feature?
I could test this new functionality!

I am developing an authentication plug-in in python code in Eclipse IDE.
I have imported into eclipse the Keystone project from this link: https://github.com/openstack/keystone.git
Is not havana-2 but grizzly, of course!!!

Is possible to use new release of keystone and make a saml authentication?

When the user try the access the sistem will check into Keystone, if he not exists than check into my "saml-db".

Therefore I need to ask to my "user-Saml-db" if the user exist by saml method passing by Keystone.

Once the user is authenticated in my db, Keystone have a synchronization mechanism for the next authentication?
In the sense: has an automatic mechanism to sync Keystone db with my SAML-db?

Thanks, regards
Pasquale

Can you help with this problem?

Provide an answer of your own, or ask Dawid for more information if necessary.

To post a message you must log in.