Add Mapping Combinations for Keystone to Keystone Federation
Adds Mapping Rules for Keystone to Keystone Federation to the Keystone Documentation. Change-Id: If7c00ce4d8693b5d8ef008e272606ce497161946
This commit is contained in:
parent
831ff5cbbf
commit
ab781d8164
@ -594,4 +594,54 @@ global username mapping.
|
||||
]
|
||||
}
|
||||
|
||||
Keystone to Keystone
|
||||
--------------------
|
||||
|
||||
Keystone to Keystone federation also utilizes mappings, but has some
|
||||
differences.
|
||||
|
||||
An attribute file (/etc/shibboleth/attribute-map.xml) is used to add
|
||||
attributes to the Keystone Identity Provider. Attributes look as follows:
|
||||
``<Attribute name="openstack_user" id="openstack_user"/>``
|
||||
``<Attribute name="openstack_user_domain" id="openstack_user_domain"/>``
|
||||
|
||||
The Keystone Service Provider must contain a mapping as shown below.
|
||||
``openstack_user``, and ``openstack_user_domain`` match to the attribute
|
||||
names we have in the Identity Provider. It will map any user with the name
|
||||
``user1`` or ``admin`` in the ``openstack_user`` attribute and
|
||||
``openstack_domain`` attribute ``default`` to a group with id ``abc1234``.
|
||||
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
rules = [
|
||||
{
|
||||
"local": [
|
||||
{
|
||||
"group": {
|
||||
"id": "abc1234"
|
||||
}
|
||||
}
|
||||
],
|
||||
"remote": [
|
||||
{
|
||||
"type": "openstack_user",
|
||||
"any_one_of": [
|
||||
"user1",
|
||||
"admin"
|
||||
]
|
||||
},
|
||||
{
|
||||
"type":"openstack_user_domain",
|
||||
"any_one_of": [
|
||||
"Default"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
The possible attributes that can be used in a mapping are `openstack_user`,
|
||||
`openstack_user_domain`, `openstack_roles`, `openstack_project`, and
|
||||
`openstack_project_domain`.
|
Loading…
x
Reference in New Issue
Block a user