Cloned from launchpad blueprint https://blueprints.launchpad.net/horizon/+spec/federated-horizon.

Description:

This feature enables the user to login into Openstack by authenticating through a third party identity provider. This project focuses in enabling a federated authentication feature through graphical user interface client i.e. through the Openstack dashboard.

The assumed changes in Horizon would be as follows:

Configuration:

Install and configure federated keystone that holds the federation script to add an 3rd party idp  into the service catalog of Keystone, and supports the federated Idp's.This would be achieved from (https://github.com/kwss/keystone/tree/kent-federated-april)

Abstract and modify the federation module from (https://github.com/kwss/python-swiftclient/tree/master/swiftclient/contrib/federated), into openstack-auth which acts as the authentication holder for horizon

Workflow:

The forms (openstack_auth/forms.py) in Horizon will be modified to have a dropdown with available list of Identity providers.

Horizon sends a REST request  to keystone through the abstracted federation api, to populate the dropdown with the list of Idp's stored in the service catalog within (service type: identity)

The user selects the desired identity provider, which has its endpoint stored in the service catalog of Keystone.

Horizon makes a GET request of the user selection to Keystone.

Keystone POST the endpoint of the particular Idp to horizon.

Horizon connects to the endpoint and displays the login page of the Idp to the user.

The user authenticates with the Idp by providing his/her credentials maintained with the particular Idp.

Idp authenticates the user and would POST an token to Horizon.

Horizon POST this token to keystone.

Keystone now verifies the user roles and projects based on the token received and redirects the response back to Horizon.

Specification URL (additional information):

None