Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/keystone-to-keystone-federation. Description: CERN has one openstack cloud setup ("internal cloud") within their data center. They have the keystone sitting on top of an LDAP instance. They would like to burst cloud workload between multiple public cloud service providers ("CSP") should their internal cloud not have enough bandwidth or storage. They would like to provide seamless access for their internal cloud identities. Those identities currently use openstack clients (nova-client, keystone-client) and would like to continue to do so without many changes. Flow: a. AuthN against CERN keystone using my credentials b. Get a token back with a service catalog showing CERN openstack services (nova, swift, etc) and the CSP service catalog c. Attempt to use the token against CSP nova service d. CSP nova service calls CSP keystone (no change) e. CSP keystone deciphers the token belonging to the CERN keystone IdP (which it sees as being setup as a trusted identity provider with attribute mappings we need to use) f. CSP keystone calls CERN keystone (SAML or other federation protocol request and negotiation) g. CERN keystone shows CSP setup as a trusted service provider (with attribute mappings it should expect) h. CERN Keystone returns back a SAML (or other federation protocol) assertion to CSP Keystone i. CSP keystone deciphers the assertion and provisions a temporary user. The token is deemed valid and stored in CSP keystone for future validation calls until expiration Specification URL (additional information): None
This will not be possible until we have mod_mellon in RHEL 7.1. This should not be a "High" priority RFE for RHOS6 GA.
RHEL7.1 Beta is out, we should be able to test this now.
Pushing this to next async release
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0639.html