Hide Forgot
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/mapping-distributed-admin. Description: We describe how external administrators (of federation IdPs or cloud using organisations) are recognised as being trusted to specify the organisational attributes that their users will present, the credential validation rules for these, and hence the user organisational attribute assignments that Keystone will accept. Furthermore they are also trusted to perform attribute mappings from these organisational attributes to a subset of the OpenStack attributes that will give the users permission to access the various OpenStack services. We also specify higher level API operations for managing attribute mappings When Apache or another Web Container processes the Authentication, the environment variables passed through, such as REMOTE_USER, will not always map exactly to the attributes as exposed by the Identity API. For example, If Kerberos is used, the the REMOTE_USER field will come through with Principal@REALM, but the principal may contain characters other than the UserID, and the REALM will probably look like a FQDN but in all caps. IN addition, Groups will come through in a variety of formats. SSL_ or NSS_ prefeixed variables from the parsing of X509 will sometimes have values that should map to groups in them. Other variables will be lists or maps that need to be expanded first. The mapping is likely to be different based on the Identity Provider and Protocol combination. As such, dynamicallyt adding a new IdP or adding a new protocol to an IdP will require either the reuse of an existing mapping, or the generation of a new mapping. Specification URL (additional information): https://docs.google.com/document/d/1q7BXxFxhPO0d8ZsaRbex9MFtO_jPN-qxIV_7YaKzWLk/edit
The blueprint for this feature seems to be irelevant. The feature will be tested according to: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-federation-ext.md Adam, please confirm. Thanks.
(In reply to Udi from comment #2) > The blueprint for this feature seems to be irelevant. > The feature will be tested according to: > https://github.com/openstack/identity-api/blob/master/openstack-identity-api/ > v3/src/markdown/identity-api-v3-os-federation-ext.md > > Adam, please confirm. Thanks. Yes, the OS-FEDERATION API covers this. You should be able to work off of the API doc and ignore the blueprint.
To test this bug, I need to install shibboleth and mod_shib. Noone ever built packages for these in either RHEL or Fedora. Please arrange for the RPMs to be available with yum install.
Given that ipsilon/mod_mellon is expected to be included in RHEL 7.1, pushing this RFF for OSP6.
We have a test plan for this, and we tested all we wanted in this feature and all passed.
This will be usable starting with RHEL7.1 which includes ipsilon/mod_mellon.
This bug was not tested, and will not be testable until RHEL 7.1 because we don't ship the needed dependencies with RHEL 7 (we need mod_mellon to test the federation feature in keystone). Please ignore my comment #8 and ignore the "Tested" keyword in the QE Whiteboard. I meant to put these in another bug and by mistake I put them in this bug. Sorry.