14ac08431f
We propose to extend Keystone identity provider (IdP) attribute mapping schema to make Keystone honor the `domain` configuration that we have on it. Currently, that configuration is only used to define a default domain for groups (and then each group there, could override it). It is interesting to expand this configuration (as long as it is in the root of the attribute mapping) to be also applied for users and projects. Moreover, to facilitate the development and extension concerning attribute mappings for IdPs, we changed the way the attribute mapping schema is handled. We introduce a new configuration `federation_attribute_mapping_schema_version`, which defaults to "1.0". This attribute mapping schema version will then be used to control the validation of attribute mapping, and also the rule processors used to process the attributes that come from the IdP. So far, with this PR, we introduce the attribute mapping schema "2.0", which enables operators to also define a domain for the projects they want to assign users. If no domain is defined either in the project or in the global domain definition for the attribute mapping, we take the IdP domain as the default. Change-Id: Ia9583a254336fad7b302430a38b538c84338d13d Implements: https://bugs.launchpad.net/keystone/+bug/1887515 Closes-Bug: #1887515 |
||
---|---|---|
.. | ||
federation | ||
figures | ||
auth-totp.rst | ||
authentication-mechanisms.rst | ||
bootstrap.rst | ||
caching-layer.inc | ||
case-insensitive.rst | ||
cli-manage-projects-users-and-roles.rst | ||
configuration.rst | ||
configure_tokenless_x509.rst | ||
configure-https.rst | ||
credential-encryption.rst | ||
domain-specific-config.inc | ||
endpoint-filtering.inc | ||
endpoint-policy.inc | ||
event_notifications.rst | ||
external-authentication.rst | ||
fernet-token-faq.rst | ||
getting-started.rst | ||
health-check-middleware.rst | ||
identity-concepts.rst | ||
identity-sources.rst | ||
identity-support-matrix.ini | ||
index.rst | ||
integrate-with-ldap.inc | ||
jws-key-rotation.rst | ||
keystone-features.rst | ||
limit-list-size.inc | ||
logging.inc | ||
manage-services.rst | ||
manage-trusts.rst | ||
multi-factor-authentication.rst | ||
oauth1.rst | ||
oauth2-usage-guide.rst | ||
operations.rst | ||
performance.inc | ||
resource-options.rst | ||
security-compliance.inc | ||
service-api-protection.rst | ||
token-provider.rst | ||
token-support-matrix.ini | ||
tokens-overview.rst | ||
tokens.rst | ||
troubleshoot.inc | ||
unified-limits.rst | ||
upgrading.rst | ||
url-safe-naming.inc |