RFE: Native SAML Support

Bug #1816059 reported by Lance Bragstad
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)

Bug Description

Currently, keystone relies heavily on web server plugins to parse and validate SAML assertions from external identity providers. The cost of not having this support natively in keystone is that it makes federation harder to set up for operators, and limits the usability of the feature as a whole. For example, setting up new identity providers for federation requires restarting web server processes, which isn't something we expect operators to their customers do freely.

With native SAML support, we could

- Reduce the number of mappings required to configure federation (e.g., we wouldn't need a mapping for Apache plugins and an internal mapping in keystone)
- Setting up new trusted identity providers could be customer driven (e.g., a domain administrator could be given access to APIs that allow them to set up an identity provider for their domain, as opposed to filing a request ticket for a system administrator)
- Setting up federated identity, in general, would be simpler

Tags: federation rfe
Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
tags: added: federation
tags: added: rfe
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers