40d3d03f11
Move identity chapter from one very large page into many smaller ones like it was previously in the DocBook XML output. This creates changes to heading of all files as well as creation of new files. Compare the result of this build with: Current RST file: http://docs.openstack.org/draft/admin-guide-cloud-rst/identity_management.html DocBook XML hierarchy: http://docs.openstack.org/admin-guide-cloud/content/ch-identity-mgmt-config.html Change-Id: I4274586afeec132298be078d8795959f07bf3c66
1.7 KiB
Configure Identity service for token binding
Token binding embeds information from an external authentication mechanism, such as a Kerberos server or X.509 certificate, inside a token. By using token binding, a client can enforce the use of a specified external authentication mechanism with the token. This additional security mechanism ensures that if a token is stolen, for example, it is not usable without external authentication.
You configure the authentication types for a token binding in the
keystone.conf
file:
[token]
bind = kerberosor
[token]
bind = x509Currently kerberos and x509 are
supported.
To enforce checking of token binding, set the
enforce_token_bind option to one of these modes:
disabled-
Disables token bind checking.
permissive-
Enables bind checking. If a token is bound to an unknown authentication mechanism, the server ignores it. The default is this mode.
strict-
Enables bind checking. If a token is bound to an unknown authentication mechanism, the server rejects it.
required-
Enables bind checking. Requires use of at least authentication mechanism for tokens.
kerberos-
Enables bind checking. Requires use of kerberos as the authentication mechanism for tokens:
[token] enforce_token_bind = kerberos
x509-
Enables bind checking. Requires use of X.509 as the authentication mechanism for tokens:
[token] enforce_token_bind = x509