Modify the FederationProtocolModel class and add the
remote_id_atributte to the federation_protocol table.
Add the respective migration and tests files. And
also modify the schema to expect a remote_id_attribute
property.
Closes-bug: #1724645
Co-authored-by: Colleen Murphy<colleen@gazlene.net>
Change-Id: I9802c8a5c187bae16de89893ca8639b01cd7cb1b
The test that IdP and domain is unique constraint is wrong.
Keystone never support Idp:domain is 1:1.
This patch fixed the error in the test to make sure
Idp:domain is n:1.
Change-Id: I90a0ed677aa9d666a220bd2456dac336378cd3ba
Closes-bug: #1760843
As we use federation protocol, assign authorization to ephemeral
users by mapping to groups. Setting this mapping does not add the
ephemeral user to the group and the user is not a member of the group.
Only authorization for the user is same as role assignments to the
group on a project or domain.
This patch add explain about the group mapping
Change-Id: I9faa7d57037af3c2cf6ccfda8d853693fa5eb628
If a federated user is ephemeral, the user will become a member of
identity provider's domain. The identity provider and service
provider are different entities, this patch correct the note and
make it more distinct.
Change-Id: I71a8b339e2e8f176761a36a4effe09afcf5388a6
In order for a federated user to be mapped to a local user that exists
in the identity backend, the user object in the local mapping rule must
have the property "type": "local" set, in addition to having a keystone
domain provided. This was probably not the original intention of the
local user mapping spec[1], but this is how it ended up being
implemented. We could choose to change the behavior of the code, but
it has been around long enough that it is possible that deployments are
depending on this behavior, and moreover making rules explicit rather
than implicit reduces the risk of bugs and mistakes.
This patch updates the api-ref documentation and the standard federation
documentation to include the "type" property when mapping to local
users. In addition, since we now have two keywords called "local" that
mean somewhat different things, we expand the context of some of the
mapping examples so that both the rule name "local" and the value
"local" of the attribute "type" appear in the example, for clarity.
Change-Id: Ib35e57e33903de14f9cac1f919c32dfe923ef884
Closes-bug: #1673157
An Identity Provider (IdP) should be mapped to a domain. This patch
updates the documentation and creates a release note recommending the
domain_id parameter.
Depends-On: Id18b8b2fe853b97631bc990df8188ed64a6e1275
Partial-Bug: #1642687
Change-Id: I1cb749371175169662dbb5fa8feafe403fb1c39b
Change I2423030bd0849c051d22f63bf60b6a5f41f72574 migrated Federation
api-ref docs into keystone repository.
Moving Assertion API to its own file is one of the TODO comments left
there, which is being addressed in this change.
Change-Id: I0ad565619744eb7f7b3c2fb33971d8d8ab4e22ea
Change I2423030bd0849c051d22f63bf60b6a5f41f72574 migrated Federation
api-ref docs into keystone repository.
Moving Auth API to its own file is one of the TODO comments left there,
which is being addressed in this change.
Change-Id: Icd0c293c1a326c9bf3fe1ca01c96e3908ac33db3
Change I2423030bd0849c051d22f63bf60b6a5f41f72574 migrated Federation
api-ref docs into keystone repository.
Moving List Projects and Domains API to its own file is one of the TODO
comments left there, which is being addressed in this change.
Change-Id: I78572d6605c7eddd9c7b41bb2e982dc10728f46e
Change I2423030bd0849c051d22f63bf60b6a5f41f72574 migrated Federation
api-ref docs into keystone repository.
Moving Service Provider API to its own file is one of the TODO
comments left there, which is being addressed in this change.
Change-Id: Iabe3d443f01b173024620aae629558d228c2cd10
Change I2423030bd0849c051d22f63bf60b6a5f41f72574 migrated Federation
api-ref docs into keystone repository.
Moving Mapping API to its own file is one of the TODO comments left
there, which is being addressed in this change.
Change-Id: I070f2807dc683d470ef4e5e6d758c3998009b2be
Change I2423030bd0849c051d22f63bf60b6a5f41f72574 migrated Federation
api-ref docs into keystone repository.
Moving Identity Provider API to its own file is one of the TODO
comments left there, which is being addressed in this change.
Change-Id: I5c5b26c2d4c9920d6b9642eaf0fc47ed5bffb3cb
- add /v3/ to all routes;
- switch from 'localhost:port' and 'identity:port' endpoints to
'example.com/identity';
- fix typo.
Change-Id: If0d90ebab78e93fc9395b0e02436853a4ecbfa73
This commit migrates OS-FEDERATION docs from the spec repo to keystone server
repo under api-ref/source/v3-ext/ directory.
Change-Id: I2423030bd0849c051d22f63bf60b6a5f41f72574