RFE: Native SAML Support
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
Currently, keystone relies heavily on web server plugins to parse and validate SAML assertions from external identity providers. The cost of not having this support natively in keystone is that it makes federation harder to set up for operators, and limits the usability of the feature as a whole. For example, setting up new identity providers for federation requires restarting web server processes, which isn't something we expect operators to their customers do freely.
With native SAML support, we could
- Reduce the number of mappings required to configure federation (e.g., we wouldn't need a mapping for Apache plugins and an internal mapping in keystone)
- Setting up new trusted identity providers could be customer driven (e.g., a domain administrator could be given access to APIs that allow them to set up an identity provider for their domain, as opposed to filing a request ticket for a system administrator)
- Setting up federated identity, in general, would be simpler
| Changed in keystone: | |
| status: | New → Triaged |
| importance: | Undecided → Wishlist |
| tags: | added: federation |
| tags: | added: rfe |
