[Edge-computing] Keystone Edge Architectures

Lance Bragstad lbragstad at gmail.com
Mon Jun 25 20:26:03 UTC 2018

Hi Greg,

Jumping in a bit late, but I can try and clear up some of the questions
around keystone's federated identity implementation.

Your initial assessment of federated identity is accurate where each
keystone node in the deployment refers to an external identity provider
as the source of truth for user identities. But, keystone doesn't
actively reach out to the external identity provider at authentication
time. Instead, a user presents keystone (which is acting as a service
provider) with a SAML document that keystone will verify with a set of
certificates from the identity provider. If keystone can prove the SAML
assertion came from a trusted identity provider, it processes the
attributes through a mapping engine, which essentially translates the
SAML assertion into OpenStack-specific terminology.

The actual validation of the SAML assertion doesn't require a connection
to the identity provider that issued it. This trust relationship is
established when setting up federated identity via configuration (e.g.
these are the certs for the identity provider that I trust).

Hopefully that helps


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/edge-computing/attachments/20180625/2c2f97f7/attachment.sig>

More information about the Edge-computing mailing list