Comment 3 for bug 1641639

Hi Robert,

Thanks for your feedback. The shadow mapping feature [1] should actually ease some of the issues you mentioned, in particular around just passing in role ID. With shadow mapping you should be able to specify role and project information for a federated user. It's being implemented for Ocata.

We decided to persist the federated users into the keystone SQL backend for various reasons [2]:
  - support notifications better, the user ID will be the same
  - more consistent interface with other user APIs
  - support account linking in the future
  - support multi-factor auth in the future
  - support linking domains and identity providers (this is necessary for federated users to use heat or murano)
This was implemented in Mitaka.

This bug is being used as a suggestion to use the same ID tracking mechanism we use with LDAP users, for federated users.

[1] http://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/shadow-mapping.html
[2] http://specs.openstack.org/openstack/keystone-specs/specs/mitaka/shadow-users.html