Go to file

Colleen Murphy cbdc84ac7f Partially clarify federation auth plugins

Federation protocols in keystone are very confusing due to the way they
have evolved since the original service provider implementation where
the auth plugin was defined in saml2.py. We renamed saml2.py to
mapped.py[1] and now we can effectively support any federation protocol
as long as there is some kind of Apache module that can understand it
and pass certain IdP and user attributes through to keystone. So we
started recommending not using the 'saml2' auth plugin and instead using
the 'mapped' plugin, eventually removing the the notice when we removed
the plugin[2]. Since the name of the federation protocol resource
created in keystone must match one of the [auth]/methods, we also
changed the documentation to start creating the 'mapped' protocol and
use 'mapped' in the Apache settings[3]. This was really the wrong
course. 'mapped' is not a protocol. Using only 'mapped' prevents us from
defining multiple remote_id_attributes for different protocols.

This patch changes references to the 'mapped' protocol and 'mapped'
plugin back to 'saml2' (we never changed the openid ones). While the
saml2 plugin does not itself exist, it is defined as an entrypoint to
the mapped plugin, so it all works out. This doesn't solve the problem
for if we want to define different remote_id_attributes for different
SAML2.0 implementations, but there is a workaround for that[4]. Using
'saml2' as the protocol name is just much more intuitive than 'mapped'.

[1] https://git.openstack.org/cgit/openstack/keystone-specs/tree/specs/keystone/juno/generic-mapping-federation.rst
[2] https://review.openstack.org/#/c/397456/
[3] https://review.openstack.org/#/c/371210/
[4] https://bugs.launchpad.net/keystone/+bug/1724645/comments/1

Change-Id: I23fc3f1f651c12c4e3c1987dc71008e6e97b4ed8
Related-bug: #1724645

2017-10-24 11:52:33 +02:00

api-ref/source

Add project tags api-ref documentation and reno

2017-10-17 17:56:29 -05:00

config-generator

Move policy generator config to config-generator/

2017-04-21 21:47:32 +00:00

devstack

Update links in keystone

2017-09-12 15:18:13 +08:00

doc

Partially clarify federation auth plugins

2017-10-24 11:52:33 +02:00

etc

Add policy for project tags

2017-10-17 10:15:19 -05:00

examples/pki

Remove support for PKI and PKIz tokens

2016-11-01 22:05:01 +00:00

httpd

remove httpd/keystone.py

2016-09-21 22:35:52 -04:00

keystone

Merge "Emit deprecation warning for federated domain/project APIs"

2017-10-20 20:28:47 +00:00

keystone_tempest_plugin

Remove the local tempest plugin

2017-06-06 11:48:37 +00:00

rally-jobs

[rally] remove deprecated arg

2015-10-29 16:34:58 +02:00

releasenotes

Merge "Emit deprecation warning for federated domain/project APIs"

2017-10-20 20:28:47 +00:00

tools

Use ostestr instead of the custom pretty_tox.sh

2017-02-09 16:03:59 +01:00

.coveragerc

Change ignore-errors to ignore_errors

2015-09-21 14:27:58 +00:00

.gitignore

Migrate to stestr

2017-09-22 11:07:09 -05:00

.gitreview

Add .gitreview config file for gerrit.

2011-10-24 14:48:03 -04:00

.mailmap

update mailmap with gyee's new email

2015-11-03 16:12:01 -08:00

.stestr.conf

Migrate to stestr

2017-09-22 11:07:09 -05:00

babel.cfg

setting up babel for i18n work

2012-06-21 18:03:09 -07:00

bindep.txt

Differentiate between dpkg and rpm for libssl-dev

2017-03-31 11:27:25 -04:00

CONTRIBUTING.rst

Use https for docs.openstack.org references

2017-01-30 16:05:08 -08:00

HACKING.rst

Merge "Update links in keystone"

2017-10-06 16:10:56 +00:00

LICENSE

Added Apache 2.0 License information.

2012-02-15 17:48:33 -08:00

README.rst

Update URL in README.rst

2017-08-08 12:57:56 +05:30

requirements.txt

Updated from global requirements

2017-10-12 21:54:46 +00:00

setup.cfg

Add default configuration files to data_files

2017-09-21 13:53:41 +01:00

setup.py

Updated from global requirements

2017-03-06 01:10:37 +00:00

test-requirements.txt

Merge "Migrate to stestr"

2017-09-27 22:58:41 +00:00

tox.ini

Use stestr directly instead of ostestr

2017-09-29 20:35:13 +00:00

README.rst

Team and repository tags

OpenStack Keystone

Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.

Developer documentation, the source of which is in doc/source/, is published at:

https://docs.openstack.org/keystone/latest

The API specification and documentation are available at:

https://specs.openstack.org/openstack/keystone-specs/

The canonical client library is available at:

https://git.openstack.org/cgit/openstack/python-keystoneclient

Documentation for cloud administrators is available at:

https://docs.openstack.org/

The source of documentation for cloud administrators is available at:

https://git.openstack.org/cgit/openstack/openstack-manuals

Information about our team meeting is available at:

https://wiki.openstack.org/wiki/Meetings/KeystoneMeeting

Bugs and feature requests are tracked on Launchpad at:

https://bugs.launchpad.net/keystone

Future design work is tracked at:

https://specs.openstack.org/openstack/keystone-specs/#identity-program-specifications

Contributors are encouraged to join IRC (#openstack-keystone on freenode):

https://wiki.openstack.org/wiki/IRC

For information on contributing to Keystone, see CONTRIBUTING.rst.