keystone/doc/source/admin/identity-token-binding.rst
Samriddhi Jain aba9267323 Added keystone admin guides to documentation
Currently the identity administrator guide docs are a part of
general OpenStack-manuals. Migrating those docs to keystone
documentation so that they can be reviewed effectively by
keystone developers too.

Partial-Bug #1694460
Depends-On: Ia750cb049c0f53a234ea70ce1f2bbbb7a2aa9454

Change-Id: Id121ae1dd5bce993b4ad1219b592527ef0047063
2017-06-24 00:42:14 +05:30

1.7 KiB

Configure Identity service for token binding

Token binding embeds information from an external authentication mechanism, such as a Kerberos server or X.509 certificate, inside a token. By using token binding, a client can enforce the use of a specified external authentication mechanism with the token. This additional security mechanism ensures that if a token is stolen, for example, it is not usable without external authentication.

You configure the authentication types for a token binding in the /etc/keystone/keystone.conf file:

[token]
bind = kerberos

or

[token]
bind = x509

Currently kerberos and x509 are supported.

To enforce checking of token binding, set the enforce_token_bind option to one of these modes:

  • disabled

    Disables token bind checking.

  • permissive

    Enables bind checking. If a token is bound to an unknown authentication mechanism, the server ignores it. The default is this mode.

  • strict

    Enables bind checking. If a token is bound to an unknown authentication mechanism, the server rejects it.

  • required

    Enables bind checking. Requires use of at least authentication mechanism for tokens.

  • kerberos

    Enables bind checking. Requires use of kerberos as the authentication mechanism for tokens:

    [token]
    enforce_token_bind = kerberos
  • x509

    Enables bind checking. Requires use of X.509 as the authentication mechanism for tokens:

    [token]
    enforce_token_bind = x509