Samriddhi Jain aba9267323 Added keystone admin guides to documentation

Currently the identity administrator guide docs are a part of
general OpenStack-manuals. Migrating those docs to keystone
documentation so that they can be reviewed effectively by
keystone developers too.

Partial-Bug #1694460
Depends-On: Ia750cb049c0f53a234ea70ce1f2bbbb7a2aa9454

Change-Id: Id121ae1dd5bce993b4ad1219b592527ef0047063

2017-06-24 00:42:14 +05:30

1.7 KiB

Raw Blame History

Configure Identity service for token binding

Token binding embeds information from an external authentication mechanism, such as a Kerberos server or X.509 certificate, inside a token. By using token binding, a client can enforce the use of a specified external authentication mechanism with the token. This additional security mechanism ensures that if a token is stolen, for example, it is not usable without external authentication.

You configure the authentication types for a token binding in the /etc/keystone/keystone.conf file:

[token]
bind = kerberos

[token]
bind = x509

Currently kerberos and x509 are supported.

To enforce checking of token binding, set the enforce_token_bind option to one of these modes:

disabled

Disables token bind checking.
permissive

Enables bind checking. If a token is bound to an unknown authentication mechanism, the server ignores it. The default is this mode.
strict

Enables bind checking. If a token is bound to an unknown authentication mechanism, the server rejects it.
required

Enables bind checking. Requires use of at least authentication mechanism for tokens.
kerberos
Enables bind checking. Requires use of kerberos as the authentication mechanism for tokens:
```
[token]
enforce_token_bind = kerberos
```
x509
Enables bind checking. Requires use of X.509 as the authentication mechanism for tokens:
```
[token]
enforce_token_bind = x509
```

1.7 KiB Raw Blame History

Configure Identity service for token binding

1.7 KiB

Raw Blame History