RFE: Native SAML Support

Bug #1816059 reported by Lance Bragstad on 2019-02-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Unassigned

Bug Description

Currently, keystone relies heavily on web server plugins to parse and validate SAML assertions from external identity providers. The cost of not having this support natively in keystone is that it makes federation harder to set up for operators, and limits the usability of the feature as a whole. For example, setting up new identity providers for federation requires restarting web server processes, which isn't something we expect operators to their customers do freely.

With native SAML support, we could

- Reduce the number of mappings required to configure federation (e.g., we wouldn't need a mapping for Apache plugins and an internal mapping in keystone)
- Setting up new trusted identity providers could be customer driven (e.g., a domain administrator could be given access to APIs that allow them to set up an identity provider for their domain, as opposed to filing a request ticket for a system administrator)
- Setting up federated identity, in general, would be simpler

Changed in keystone:
status: New → Triaged
importance: Undecided → Wishlist
tags: added: federation
tags: added: rfe
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers