Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1289502

Summary: OpenStack custom login and federationsupport
Product: Red Hat OpenStack Reporter: GE Scott Knauss <sknauss>
Component: openstack-keystoneAssignee: Adam Young <ayoung>
Status: CLOSED DUPLICATE QA Contact: Shai Revivo <srevivo>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0 (Kilo)CC: ayoung, dnavale, nkinder, pablo.iranzo, panbalag, sknauss, srevivo
Target Milestone: ---Keywords: ZStream
Target Release: 10.0 (Newton)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
With this release, the customer requires two factor authentication, to support better security for re-seller use case.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-02 20:13:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1273812    

Description GE Scott Knauss 2015-12-08 10:48:10 UTC 
The customer needs two factor authentication: the implementation with keystone and IPA has many issues and customer doesn't want to go on this solution.

So, we found this article[1] that explains how to configure Keystone for federation and as ServiceProvider: the plan is to use an external IDP based on EAP + Picketlink with custom EAP login modules.

So:

1) Do we have other customer using login customization for OSP7? and how?

I'm not aware of it, it's better for this to reach to BU or rhos-tech
to check for this.

2) Do we have some ready made solution to implement two factor auth in OSP?

Ipa can be integrated with keystone
(https://www.rdoproject.org/documentation/keystone-integration-with-idm/)

And IPA can do 2FA:
http://rhelblog.redhat.com/2015/06/04/identity-management-and-two-factor-authentication-using-one-time-passwords/

So it can be crafted together

But as you said, if customer doesn't want to go the IPA road, it's a
dead end.

3) Do we fully support federation + SAML2 login in OSP?
Comment 7 Nathan Kinder 2016-09-02 20:13:32 UTC 

*** This bug has been marked as a duplicate of bug 1263009 ***