Add Mapping Combinations for Keystone to Keystone Federation

Adds Mapping Rules for Keystone to Keystone Federation to the
Keystone Documentation.

Change-Id: If7c00ce4d8693b5d8ef008e272606ce497161946
This commit is contained in:
“Fernando 2015-10-20 11:24:28 -05:00
parent 831ff5cbbf
commit ab781d8164

@ -594,4 +594,54 @@ global username mapping.
]
}
Keystone to Keystone
--------------------
Keystone to Keystone federation also utilizes mappings, but has some
differences.
An attribute file (/etc/shibboleth/attribute-map.xml) is used to add
attributes to the Keystone Identity Provider. Attributes look as follows:
``<Attribute name="openstack_user" id="openstack_user"/>``
``<Attribute name="openstack_user_domain" id="openstack_user_domain"/>``
The Keystone Service Provider must contain a mapping as shown below.
``openstack_user``, and ``openstack_user_domain`` match to the attribute
names we have in the Identity Provider. It will map any user with the name
``user1`` or ``admin`` in the ``openstack_user`` attribute and
``openstack_domain`` attribute ``default`` to a group with id ``abc1234``.
.. code-block:: javascript
{
rules = [
{
"local": [
{
"group": {
"id": "abc1234"
}
}
],
"remote": [
{
"type": "openstack_user",
"any_one_of": [
"user1",
"admin"
]
},
{
"type":"openstack_user_domain",
"any_one_of": [
"Default"
]
}
]
}
]
}
The possible attributes that can be used in a mapping are `openstack_user`,
`openstack_user_domain`, `openstack_roles`, `openstack_project`, and
`openstack_project_domain`.