Uploaded byjamielennox
PDF, PPTX1,148 views

Keystone: Federated

The document details the OpenStack identity service and its federated authentication capabilities, emphasizing convenience, integration, and security in a multi-cloud environment. It discusses the roles of identity and service providers, token flows, and mappings of assertions to OpenStack roles. Additionally, it outlines current functionalities and future potential developments for identity management within the system.

Embed presentation

Download as PDF, PPTX
Keystone: Federated Jamie Lennox 1st Aug 2014
The OpenStack Identity Service 2 Jamie Lennox
Token Flow 3 Jamie Lennox
Token Issuing 4 Jamie Lennox
Federation 5 Jamie Lennox
Why? ● Convenience ● Integration ● Enterprise ● Partnerships ● Migration and Interoperability ● Multiple Clouds, Single Identity ● Security ● One less identity provider 6 Jamie Lennox
Identity Provider (IdPs) 7 Jamie Lennox
Service Provider (SPs) 8 Jamie Lennox
SAML 9 Jamie Lennox
<saml:AttributeStatement> <saml:Attribute Name="role"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >user</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="role"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >staff</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AttributeStatement> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP" > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Lennox</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
Environment Variables MELLON_NAME_ID=_f4daafb1565ab2d75fdeab57b4717501b0cac62859 MELLON_NAME_ID_0=_f4daafb1565ab2d75fdeab57b4717501b0cac62859 MELLON_uid=jlennox MELLON_uid_0=jlennox MELLON_givenName=Jamie MELLON_givenName_0=Jamie MELLON_sn=Lennox MELLON_sn_0=Lennox MELLON_cn=Jamie Lennox MELLON_cn_0=Jamie Lennox MELLON_mail=jlennox@redhat.com MELLON_mail_0=jlennox@redhat.com MELLON_eduPersonPrincipalName=jlennox@rnd.feide.no MELLON_eduPersonPrincipalName_0=jlennox@rnd.feide.no MELLON_urn:oid:0_9_2342_19200300_100_1_1=jlennox MELLON_urn:oid:0_9_2342_19200300_100_1_1_0=jlennox MELLON_urn:oid:2_5_4_42=Jamie 11 Jamie Lennox
Mapping ● Convert IdP Assertions to OpenStack Roles ● Different roles mean different things on different IdPs ● Mapping: ● The presence/value of which remote attributes, ● Lead to what user data on the local server. ● Users don't exist in Keystone ● Groups can have roles 12 Jamie Lennox
Mapping Snippet "rules": [ { "local": [ { "user": { "name": "{0} {1}", "id": "{2}" } }, { "group": { "remote": [ { "type": "givenName" }, { "type": "sn", "any_one_of": ["Lennox"] }, { "type": "uid" }, { "type": "role", "any_one_of": ["staff"] } ] } ] "id": "37ebd1d9e3..." } } ], 13 Jamie Lennox
Identity Provider CRUD ● Configuring Identity Providers. ● /v3/OS-FEDERATION/identity_providers/{idp_id} ● Configure a Mapping. ● /v3/OS-FEDERATION/mappings/{mapping_id} ● Protocols are managed per Identity Provider ● Allows an Identity Provider to use multiple protocols ● A protocol contains a mapping. ● /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol} ● Tokens are issued via the protocol ● /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol}/auth 14 Jamie Lennox
Today ● It works, but... ● SAML2 ECP ● Client side is in review ● Framework and the Mapper. 15 Jamie Lennox
Future ● Anything you can map... ● mod_auth_openid ● mod_identity_lookup ● AbFab ● You could even... ● mod_auth_kerb ● mod_auth_digest ●Keystone 16 Jamie Lennox
Credits 17 Jamie Lennox
Thanks Questions jamielennox on freenode jamielennox@redhat.com @jamielennox_
Image Credits ● Keystone: http://buffaloah.com/a/DCTNRY/k/keystone_fairfax.JPG ● Federation: http://pixabay.com/en/networks-internet-facebook-social-232313/ ● SAML: http://www.websequencediagrams.com/?lz=cGFydGljaXBhbnQgU2VydmljZSBQcm92 aWRlcgoAEQxVcwACD0lkZW50aXR5ACUKClVzZXItPgA3EDogUmVxdWVzdCBQcm90ZWN0ZWQ gUmVzb3VyY2UKbm90ZSBsZWZ0IG9mAHAROiBHZW5lcmF0ZSBTQU1MIHIAQgYKAIEZEC0-K1 VzAGMGZGlyZWN0IHRvAIEOEiBTU08gVVJMAIEgBwCBLxE6IACBCAZyaWdoAIEKBQAPEwCBA BBzcG9uc2UKAIF7ES0-AIEMBVJldHVybgCBNwZhc3NlcnRpb24AgiAHLQCCFxEAgUUTAIFP CABCBQCCLQg&s=patent ● Diagrams: https://draw.io 19 Jamie Lennox

More Related Content

PPTX
Secure Keystone Deployment
byPriti Desai
 
PDF
OpenStack keystone identity service
byopenstackindia
 
PPTX
Keystone - Openstack Identity Service
byPrasad Mukhedkar
 
PPTX
OpenStack Toronto Meetup - Keystone 101
bySteve Martinelli
 
PPTX
OpenStack Keystone
byDeepti Ramakrishna
 
PDF
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
ODP
OpenStack keystone identity service
byopenstackindia
 
PPTX
Integrating OpenStack with Active Directory
bycjellick
 
Secure Keystone Deployment
byPriti Desai
 
OpenStack keystone identity service
byopenstackindia
 
Keystone - Openstack Identity Service
byPrasad Mukhedkar
 
OpenStack Toronto Meetup - Keystone 101
bySteve Martinelli
 
OpenStack Keystone
byDeepti Ramakrishna
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
OpenStack keystone identity service
byopenstackindia
 
Integrating OpenStack with Active Directory
bycjellick
 

What's hot

PPTX
Building IAM for OpenStack
bySteve Martinelli
 
PPTX
OpenStack GDL : Hacking keystone | 20 Octubre 2014
byVictor Morales
 
PPTX
Security_of_openstack_keystone
byUT, San Antonio
 
PPTX
Deep Dive into Keystone Tokens and Lessons Learned
byPriti Desai
 
PDF
Keystone Federation
byopenstackindia
 
PDF
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
PDF
Keystone deep dive 1
byJsonr4
 
PDF
CIS 2015- Building IAM for OpenStack- Steve Martinelli
byCloudIDSummit
 
PPTX
Quick overview of Openstack architecture
byToni Ramirez
 
PPTX
Aptira presents OpenStack keystone identity service
byOpenStack
 
PDF
Openstack Keystone
byKamesh Pemmaraju
 
PDF
OpenStack Security
byopenstackindia
 
PPTX
OpenStack Keystone with LDAP
byJesse Pretorius
 
PDF
Shield talk elasticsearch meetup Zurich 27.05.2015
byem_mu
 
DOCX
Openstack training material
bychenvi123
 
PDF
CIS13: OpenStack API Security
byCloudIDSummit
 
PPTX
Introduction to OpenStack Architecture (Grizzly Edition)
byKen Pepple
 
PDF
Openstack_administration
byAshish Sharma
 
PPTX
Multi tenancy for docker
byAnanth Padmanabhan
 
PDF
OpenStack - Infrastructure as a service
byDenis Cavalcante
 
Building IAM for OpenStack
bySteve Martinelli
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
byVictor Morales
 
Security_of_openstack_keystone
byUT, San Antonio
 
Deep Dive into Keystone Tokens and Lessons Learned
byPriti Desai
 
Keystone Federation
byopenstackindia
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
Keystone deep dive 1
byJsonr4
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
byCloudIDSummit
 
Quick overview of Openstack architecture
byToni Ramirez
 
Aptira presents OpenStack keystone identity service
byOpenStack
 
Openstack Keystone
byKamesh Pemmaraju
 
OpenStack Security
byopenstackindia
 
OpenStack Keystone with LDAP
byJesse Pretorius
 
Shield talk elasticsearch meetup Zurich 27.05.2015
byem_mu
 
Openstack training material
bychenvi123
 
CIS13: OpenStack API Security
byCloudIDSummit
 
Introduction to OpenStack Architecture (Grizzly Edition)
byKen Pepple
 
Openstack_administration
byAshish Sharma
 
Multi tenancy for docker
byAnanth Padmanabhan
 
OpenStack - Infrastructure as a service
byDenis Cavalcante
 

Similar to Keystone: Federated

PPTX
OpenStack Paris 2014 - Federation, are we there yet ?
byTim Bell
 
PDF
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
byXamarin
 
PPTX
Federated and fabulous identity
byAndre N. Klingsheim
 
PDF
Practical Federated Identity
byWSO2
 
PPTX
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
byOpenIDFoundation
 
PPTX
WSO2Con USA 2014 - Identity Server Tutorial
byPrabath Siriwardena
 
PPTX
Standardizing Identity Provisioning with SCIM
byHasiniG
 
PDF
OpenStack: Security Beyond Firewalls
byGiuseppe Paterno'
 
PDF
Openstack: security beyond firewalls
byGARL
 
PPTX
Identity in Openstack Icehouse
byDavid Waite
 
PDF
Introduction to SAML & OIDC
byForgeRock Identity Tech Talks
 
PDF
NaaS in OpenStack - CloudCamp Moscow
byIlya Alekseyev
 
PPTX
CIS 2015- Beyond Federation Protocols- Praerit Garg
byCloudIDSummit
 
PDF
CIS13: Identity at Scale
byCloudIDSummit
 
PDF
Federation in Practice
byForgeRock
 
PPTX
unit 1 Federated Identity Management_4.pptx
byzmulani8
 
OpenStack Paris 2014 - Federation, are we there yet ?
byTim Bell
 
Create a Uniform Login Experience with a Centralized Cloud Authentication Sys...
byXamarin
 
Federated and fabulous identity
byAndre N. Klingsheim
 
Practical Federated Identity
byWSO2
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
byOpenIDFoundation
 
WSO2Con USA 2014 - Identity Server Tutorial
byPrabath Siriwardena
 
Standardizing Identity Provisioning with SCIM
byHasiniG
 
OpenStack: Security Beyond Firewalls
byGiuseppe Paterno'
 
Openstack: security beyond firewalls
byGARL
 
Identity in Openstack Icehouse
byDavid Waite
 
Introduction to SAML & OIDC
byForgeRock Identity Tech Talks
 
NaaS in OpenStack - CloudCamp Moscow
byIlya Alekseyev
 
CIS 2015- Beyond Federation Protocols- Praerit Garg
byCloudIDSummit
 
CIS13: Identity at Scale
byCloudIDSummit
 
Federation in Practice
byForgeRock
 
unit 1 Federated Identity Management_4.pptx
byzmulani8
 

Recently uploaded

PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PPTX
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
Preserve workload integrity during cross-architecture migration
byPrincipled Technologies
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Spacecraft Guidance Quick Research Guide by Arthur Morgan
byArthur Morgan
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
apidays New York 2025 | AI in Application Security
byapidays
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 

Keystone: Federated

  • 1.
    Keystone: Federated JamieLennox 1st Aug 2014
  • 2.
    The OpenStack IdentityService 2 Jamie Lennox
  • 3.
    Token Flow 3Jamie Lennox
  • 4.
    Token Issuing 4Jamie Lennox
  • 5.
  • 6.
    Why? ● Convenience ● Integration ● Enterprise ● Partnerships ● Migration and Interoperability ● Multiple Clouds, Single Identity ● Security ● One less identity provider 6 Jamie Lennox
  • 7.
    Identity Provider (IdPs) 7 Jamie Lennox
  • 8.
    Service Provider (SPs) 8 Jamie Lennox
  • 9.
  • 10.
    <saml:AttributeStatement> <saml:Attribute Name="role"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >user</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="role"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >staff</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> <saml:AttributeStatement> <saml:Attribute xmlns:x500="urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500" FriendlyName="sn" Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" x500:Encoding="LDAP" > <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >Lennox</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
  • 11.
    Environment Variables MELLON_NAME_ID=_f4daafb1565ab2d75fdeab57b4717501b0cac62859 MELLON_NAME_ID_0=_f4daafb1565ab2d75fdeab57b4717501b0cac62859 MELLON_uid=jlennox MELLON_uid_0=jlennox MELLON_givenName=Jamie MELLON_givenName_0=Jamie MELLON_sn=Lennox MELLON_sn_0=Lennox MELLON_cn=Jamie Lennox MELLON_cn_0=Jamie Lennox MELLON_mail=jlennox@redhat.com MELLON_mail_0=jlennox@redhat.com MELLON_eduPersonPrincipalName=jlennox@rnd.feide.no MELLON_eduPersonPrincipalName_0=jlennox@rnd.feide.no MELLON_urn:oid:0_9_2342_19200300_100_1_1=jlennox MELLON_urn:oid:0_9_2342_19200300_100_1_1_0=jlennox MELLON_urn:oid:2_5_4_42=Jamie 11 Jamie Lennox
  • 12.
    Mapping ● ConvertIdP Assertions to OpenStack Roles ● Different roles mean different things on different IdPs ● Mapping: ● The presence/value of which remote attributes, ● Lead to what user data on the local server. ● Users don't exist in Keystone ● Groups can have roles 12 Jamie Lennox
  • 13.
    Mapping Snippet "rules":[ { "local": [ { "user": { "name": "{0} {1}", "id": "{2}" } }, { "group": { "remote": [ { "type": "givenName" }, { "type": "sn", "any_one_of": ["Lennox"] }, { "type": "uid" }, { "type": "role", "any_one_of": ["staff"] } ] } ] "id": "37ebd1d9e3..." } } ], 13 Jamie Lennox
  • 14.
    Identity Provider CRUD ● Configuring Identity Providers. ● /v3/OS-FEDERATION/identity_providers/{idp_id} ● Configure a Mapping. ● /v3/OS-FEDERATION/mappings/{mapping_id} ● Protocols are managed per Identity Provider ● Allows an Identity Provider to use multiple protocols ● A protocol contains a mapping. ● /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol} ● Tokens are issued via the protocol ● /v3/OS-FEDERATION/identity_providers/{idp_id}/protocols/{protocol}/auth 14 Jamie Lennox
  • 15.
    Today ● Itworks, but... ● SAML2 ECP ● Client side is in review ● Framework and the Mapper. 15 Jamie Lennox
  • 16.
    Future ● Anythingyou can map... ● mod_auth_openid ● mod_identity_lookup ● AbFab ● You could even... ● mod_auth_kerb ● mod_auth_digest ●Keystone 16 Jamie Lennox
  • 17.
  • 18.
    Thanks Questions jamielennoxon freenode jamielennox@redhat.com @jamielennox_
  • 19.
    Image Credits ●Keystone: http://buffaloah.com/a/DCTNRY/k/keystone_fairfax.JPG ● Federation: http://pixabay.com/en/networks-internet-facebook-social-232313/ ● SAML: http://www.websequencediagrams.com/?lz=cGFydGljaXBhbnQgU2VydmljZSBQcm92 aWRlcgoAEQxVcwACD0lkZW50aXR5ACUKClVzZXItPgA3EDogUmVxdWVzdCBQcm90ZWN0ZWQ gUmVzb3VyY2UKbm90ZSBsZWZ0IG9mAHAROiBHZW5lcmF0ZSBTQU1MIHIAQgYKAIEZEC0-K1 VzAGMGZGlyZWN0IHRvAIEOEiBTU08gVVJMAIEgBwCBLxE6IACBCAZyaWdoAIEKBQAPEwCBA BBzcG9uc2UKAIF7ES0-AIEMBVJldHVybgCBNwZhc3NlcnRpb24AgiAHLQCCFxEAgUUTAIFP CABCBQCCLQg&s=patent ● Diagrams: https://draw.io 19 Jamie Lennox