Comment 20 for bug 1589993

After chatting with Lance and the Keystone people at the PTG, they convinced me to try again and check if it worked.

The summary: it did for me.

I used the fairly new devstack plugin from Keystone that deploys with federation, backed by testshib.
I used the following map: http://paste.openstack.org/show/621059/ . I used to following script to test http://paste.openstack.org/show/621060/ (Thanks Colleen for all the pointers).

I made some back and forth, so I don't completely trust (ah) my setup, but I managed to create a stack with trust behind. I didn't get the issue mentioned by Artem where the user couldn't be found. With shadow mapping, the users do exist in the keystone database, and get roles assignment.

I used master, but the code ought to be in ocata, it would be worth checking if it works there. Tests with a real deployment would be great, too.

At that point, I think that bug could be closed by a documentation fix. We talked about an integration test in Keystone as well to make sure trusts work with federation (as there are federation tempest tests now).