settingsLogin | Registersettings

[openstack-dev] [os-ansible-deployment] Feedback on Keystone Federation Spec

0 votes

Hi everyone,

There was quite a bit of fanfare around the new federation features in
OpenStack Kilo.

In the os-ansible-deployment/openstack-ansible project we've been putting
together a view on how to implement federation with as little complexity as
possible.

We've been working on some prototype code which can be seen by looking at
the patches on the blueprint whiteboard [1] and have also prepared a spec
for the implementation [2].

We'd like to get some feedback from the broader community - from deployers
interested in using the feature and from developers/deployers who've worked
with federation. The feedback we'd like to see is both in terms of the spec
and the prototype code (which is changing quite frequently as we figure out
the bits and pieces).

The follow-on to this work will be to specifically add the capability to
make use of an ADFS IdP for a Keystone SP. This work will be linked to
another blueprint [3] which is still a work in progress.

I look forward to the review feedback!

[1]
https://blueprints.launchpad.net/openstack-ansible/+spec/keystone-federation
[2] https://review.openstack.org/194147
[3]
https://blueprints.launchpad.net/openstack-ansible/+spec/keystone-sp-adfs-idp

--
Jesse Pretorius
IRC: odyssey4me


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Jun 30, 2015 in openstack-dev by Jesse_Pretorius (4,920 points)   1 3 5

3 Responses

0 votes

I've already looked at some of the work, and intend to look at all of it
more closely. But I wanted to publicly thank you and the rest of the folks
that made this possible (sigmavirus24, dolphm, lbragstad, ken johnston, i'm
sure i'm missing others). This is a huge plus for user experience, and will
make consumer the federation capabilities of Keystone much easier.

Thanks,

Steve Martinelli
OpenStack Keystone Core

Jesse Pretorius jesse.pretorius@gmail.com wrote on 2015/06/30 12:21:51
PM:

From: Jesse Pretorius jesse.pretorius@gmail.com
To: openstack-dev@lists.openstack.org,
openstack-operators@lists.openstack.org
Date: 2015/06/30 12:22 PM
Subject: [openstack-dev] [os-ansible-deployment] Feedback on
Keystone Federation Spec

Hi everyone,

There was quite a bit of fanfare around the new federation features
in OpenStack Kilo.

In the os-ansible-deployment/openstack-ansible project we've been
putting together a view on how to implement federation with as
little complexity as possible.

We've been working on some prototype code which can be seen by
looking at the patches on the blueprint whiteboard [1] and have also
prepared a spec for the implementation [2].

We'd like to get some feedback from the broader community - from
deployers interested in using the feature and from developers/
deployers who've worked with federation. The feedback we'd like to
see is both in terms of the spec and the prototype code (which is
changing quite frequently as we figure out the bits and pieces).

The follow-on to this work will be to specifically add the
capability to make use of an ADFS IdP for a Keystone SP. This work
will be linked to another blueprint [3] which is still a work in
progress.

I look forward to the review feedback!

[1] https://blueprints.launchpad.net/openstack-ansible/+spec/
keystone-federation
[2] https://review.openstack.org/194147
[3] https://blueprints.launchpad.net/openstack-ansible/+spec/
keystone-sp-adfs-idp

--
Jesse Pretorius
IRC: odyssey4me


OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

responded Jun 30, 2015 by Steve_Martinelli (6,500 points)   1 3 6
0 votes

On 06/30/2015 12:21 PM, Jesse Pretorius wrote:
Hi everyone,

There was quite a bit of fanfare around the new federation features in
OpenStack Kilo.

In the os-ansible-deployment/openstack-ansible project we've been
putting together a view on how to implement federation with as little
complexity as possible.

We've been working on some prototype code which can be seen by looking
at the patches on the blueprint whiteboard [1] and have also prepared
a spec for the implementation [2].

We'd like to get some feedback from the broader community - from
deployers interested in using the feature and from
developers/deployers who've worked with federation. The feedback we'd
like to see is both in terms of the spec and the prototype code (which
is changing quite frequently as we figure out the bits and pieces).

The follow-on to this work will be to specifically add the capability
to make use of an ADFS IdP for a Keystone SP. This work will be linked
to another blueprint [3] which is still a work in progress.

I look forward to the review feedback!

[1]
https://blueprints.launchpad.net/openstack-ansible/+spec/keystone-federation
[2] https://review.openstack.org/194147
[3]
https://blueprints.launchpad.net/openstack-ansible/+spec/keystone-sp-adfs-idp

I'm going to be doing an Anisble based setup for a Demo based on Ipsilon
and FreeIPA. For it, I will need to set up both SAML Federation and
SSSD/Kerberos Federation. I suspect that much of the ADFS code is going
to be common with the.

I'd like to make sure that the Playbooks for enabling Federation are
something that people can use regardless of how they did their initial
install (ignoring that it might battle with Puppet for Puppet based
installs).

The

--
Jesse Pretorius
IRC: odyssey4me


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Jul 1, 2015 by Adam_Young (19,940 points)   2 7 12
0 votes

On 1 July 2015 at 17:05, Adam Young ayoung@redhat.com wrote:

I'm going to be doing an Anisble based setup for a Demo based on Ipsilon
and FreeIPA. For it, I will need to set up both SAML Federation and
SSSD/Kerberos Federation. I suspect that much of the ADFS code is going to
be common with the.

From your blog post, it does appear that much of the work is similar. We're
nailing down the main deployment tooling during the course of the next two
weeks with the initial focus on using the Shibboleth SAML federation. I
expect that we'll be able to build on that very quickly to also add
SSSD/Kerberos, Mellon (SAML) and Open-ID federation as the configurations
don't vary all that much and the registration of IdP's in the SP's is very
straight forward.

I'd like to make sure that the Playbooks for enabling Federation are
something that people can use regardless of how they did their initial
install (ignoring that it might battle with Puppet for Puppet based
installs).

The os_keystone role within os-ansible-deployment should be usable
independently, although you may need to restrict the tasks run by limiting
the tags executed (otherwise it'll expect to deploy from source and all
that). If you pop into #openstack-ansible and there will usually be someone
there who can assist.

--
Jesse Pretorius
IRC: odyssey4me


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Jul 6, 2015 by Jesse_Pretorius (4,920 points)   1 3 5
...