Phase one for dealing with Federation can be done with CORS support
solely for Keystone/Horizon integration:
- Keystone generates a token
This should support Kerberos, X509, and Password auth; the Keystone
team is discussing how to advertise mechanisms, lets leave the onus on
us to solve that one and get back in a timely manner.
For Federation, the handshake is a little more complex, and there might
be a need for some sort of popup window for the user to log in to their
home SAML provider. Its several more AJAX calls, but the end effect
should be the same: get a standard Keystone token and hand it to Horizon.
This would mean that Horizon would have to validate tokens the same way
as any other endpoint. That should not be too hard, but there is a
little bit of "create a user, get a token, make a call" logic that
currently lives only in keystonemiddleware/auth_token; Its a solvable
Jones discussed; Keystone behind a proxy will work this way without
CORS support. If CORS can be sorted out for the other services, we can
with this being the first phase.