kolla-ansible

[RFE] Missing keystone federated authentication options

Bug #1906378 reported by Gaël THEROND on 2020-12-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla-ansible	Confirmed	Wishlist	Gaël THEROND

Bug Description

**Bug Report**

What happened:
As reported by this blueprint: https://blueprints.launchpad.net/openstack/?searchtext=add-openid-support
Keystone support for federated authentication mechanisms, would it be with keystone as an IDp or using external IDp such as OpenID Connect or SAML2 compatible authentication endpoint (Most probably a Microsoft STS endpoint (ADFS) or a keycloack solution).

Today, if an operator want to implement keystone federated authentication he needs to add up a lot of custom configuration and override on keystone role.

How to fix:

Implement natively to kolla-ansible federated identity option.

How to reproduce it (minimal and precise):
Try to deploy a federated authentication using keystone (OIDC/SAML2).

**Environment**:
* Kolla-Ansible version: ALL

Gaël THEROND (gtherond) on 2020-12-01

Changed in kolla-ansible:
status:	New → In Progress
assignee:	nobody → Gaël THEROND (fl1nt)

Revision history for this message

Mark Goddard (mgoddard) wrote on 2020-12-08:

I don't understand what this bug is for. The linked blueprint covers federated keystone, initially with openID.

Revision history for this message

Gaël THEROND (gtherond) wrote on 2020-12-08:

This bug report is a subset of the blueprint, it is made to track progress on the SAML2 protocol implementation and fill the gap between the OIDC only oriented patch and our need to support a generic solution for both OIDC and SAML2 plus kind of anything that could be supported.

It add:
* A new variable: "keystone_federation_type:" that can have either saml2/oidc or no value, no value being the default and meaning default keystone sp/idp service no federation.
* sticky session/balance on Horizon
* Generic mellon and federation endpoints location on Apache for keystone rather than the currently hardcoded.

It may add:
* Automatic federation settings provisioning if we agree on a neat and clean way to do it.

Mark Goddard (mgoddard) on 2020-12-08

Changed in kolla-ansible:
importance:	Undecided → Wishlist

Tom Fifield (fifieldt) on 2023-04-05

Changed in kolla-ansible:
status:	In Progress → New

Michal Nasiadka (mnasiadka) on 2023-05-09

Changed in kolla-ansible:
status:	New → Confirmed
summary:	- Missing keystone federated authentication options + [RFE] Missing keystone federated authentication options

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.