Bug 1042086

Summary: [RFE][horizon]: Modifying horizon with federated access
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: markmc, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/horizon/+spec/federated-horizon
Whiteboard: upstream_milestone_ongoing upstream_status_started upstream_definition_superseded
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-19 16:58:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 20:53:12 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/horizon/+spec/federated-horizon.

Description:

This feature enables the user to login into Openstack by authenticating through a third party identity provider. This project focuses in enabling a federated authentication feature through graphical user interface client i.e. through the Openstack dashboard.

The assumed changes in Horizon would be as follows:

Configuration:

Install and configure federated keystone that holds the federation script to add an 3rd party idp  into the service catalog of Keystone, and supports the federated Idp's.This would be achieved from (https://github.com/kwss/keystone/tree/kent-federated-april)

Abstract and modify the federation module from (https://github.com/kwss/python-swiftclient/tree/master/swiftclient/contrib/federated), into openstack-auth which acts as the authentication holder for horizon

Workflow:

The forms (openstack_auth/forms.py) in Horizon will be modified to have a dropdown with available list of Identity providers.

Horizon sends a REST request  to keystone through the abstracted federation api, to populate the dropdown with the list of Idp's stored in the service catalog within (service type: identity)

The user selects the desired identity provider, which has its endpoint stored in the service catalog of Keystone.

Horizon makes a GET request of the user selection to Keystone.

Keystone POST the endpoint of the particular Idp to horizon.

Horizon connects to the endpoint and displays the login page of the Idp to the user.

The user authenticates with the Idp by providing his/her credentials maintained with the particular Idp.

Idp authenticates the user and would POST an token to Horizon.

Horizon POST this token to keystone.

Keystone now verifies the user roles and projects based on the token received and redirects the response back to Horizon.

Specification URL (additional information):

None