I made some back and forth, so I don't completely trust (ah) my setup, but I managed to create a stack with trust behind. I didn't get the issue mentioned by Artem where the user couldn't be found. With shadow mapping, the users do exist in the keystone database, and get roles assignment.
I used master, but the code ought to be in ocata, it would be worth checking if it works there. Tests with a real deployment would be great, too.
At that point, I think that bug could be closed by a documentation fix. We talked about an integration test in Keystone as well to make sure trusts work with federation (as there are federation tempest tests now).
After chatting with Lance and the Keystone people at the PTG, they convinced me to try again and check if it worked.
The summary: it did for me.
I used the fairly new devstack plugin from Keystone that deploys with federation, backed by testshib. paste.openstack .org/show/ 621059/ . I used to following script to test http:// paste.openstack .org/show/ 621060/ (Thanks Colleen for all the pointers).
I used the following map: http://
I made some back and forth, so I don't completely trust (ah) my setup, but I managed to create a stack with trust behind. I didn't get the issue mentioned by Artem where the user couldn't be found. With shadow mapping, the users do exist in the keystone database, and get roles assignment.
I used master, but the code ought to be in ocata, it would be worth checking if it works there. Tests with a real deployment would be great, too.
At that point, I think that bug could be closed by a documentation fix. We talked about an integration test in Keystone as well to make sure trusts work with federation (as there are federation tempest tests now).