OpenStack Identity (keystone)

Support configurable saml assertion property

Bug #1801309 reported by wangxiyuan on 2018-11-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Triaged	Wishlist	wangxiyuan

Bug Description

Keystone as Identity Provider supports to generator saml assertion for SP. The content in the saml assertion is hard code. The attribute contains: openstack_user,openstack_roles,openstack_project,openstack_project_domain,openstack_user_domain.

But in case the SP need more information from IdP Keystone,(or IdP want to provide more information to SP) there is no way to extend the saml information. Such as user's email address, the description of a role and so on.

Or a case like: IdP Keystone mapping to two SP-SP1 and SP2, SP1 need additional key1:value1, but SP2 need.key2:value2.

For those cases, Keystone as IdP should support configurable saml assertion property

See original description

wangxiyuan (wangxiyuan) on 2018-11-02

Changed in keystone:
assignee:	nobody → wangxiyuan (wangxiyuan)

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-11-13:

I think this needs to be expanded upon and is really part of the future "enhanced federation" bits.

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2018-11-13:

Added as wishlist.

wangxiyuan (wangxiyuan) on 2018-12-11

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.