Currently the identity administrator guide docs are a part of general OpenStack-manuals. Migrating those docs to keystone documentation so that they can be reviewed effectively by keystone developers too. Partial-Bug #1694460 Depends-On: Ia750cb049c0f53a234ea70ce1f2bbbb7a2aa9454 Change-Id: Id121ae1dd5bce993b4ad1219b592527ef0047063
1.7 KiB
Configure Identity service for token binding
Token binding embeds information from an external authentication mechanism, such as a Kerberos server or X.509 certificate, inside a token. By using token binding, a client can enforce the use of a specified external authentication mechanism with the token. This additional security mechanism ensures that if a token is stolen, for example, it is not usable without external authentication.
You configure the authentication types for a token binding in the
/etc/keystone/keystone.conf
file:
[token]
bind = kerberos
or
[token]
bind = x509
Currently kerberos
and x509
are
supported.
To enforce checking of token binding, set the
enforce_token_bind
option to one of these modes:
disabled
-
Disables token bind checking.
permissive
-
Enables bind checking. If a token is bound to an unknown authentication mechanism, the server ignores it. The default is this mode.
strict
-
Enables bind checking. If a token is bound to an unknown authentication mechanism, the server rejects it.
required
-
Enables bind checking. Requires use of at least authentication mechanism for tokens.
kerberos
-
Enables bind checking. Requires use of kerberos as the authentication mechanism for tokens:
[token] enforce_token_bind = kerberos
x509
-
Enables bind checking. Requires use of X.509 as the authentication mechanism for tokens:
[token] enforce_token_bind = x509