0

I should integrate an existing saml framework with openstack to access the cloud. I am at the very beginning of this project. I have just installed openstack and read some documentation. I have read that, due to its architecture, keystone can handle custom framework, but i am a bit lost. I would need an help to start, what should i looking for? Do you have any link to documentation or insipiration project that i could watch to start?

Rewording with more detail:

I have a federated identity provider called FC, that works with its own login page. This is the standards use-case:

  • A proteced page redirects the user to the login page of FC
  • the user inserts name and password and then submits the form
  • the login page sends name and password to the identity server, asking for his credentials
  • the server gives credential
  • the user is redirected to the initial (no more)protected page
    • The protected page in this case is the dashboard of OpenStack!

Readin the answer of @Heckj, should i write an identity backend for keystone that sends name and password to the FC login page, and handle its answer?

heckj
  • 7,136
  • 3
  • 39
  • 50
DeLac
  • 1,068
  • 13
  • 43

1 Answers1

1

As of the Folsom release of OpenStack, the identity mechanisms and API's dont support any concept of federation. It's one of the topics up for discussion at the OpenStack Grizzly design summit - you can see some details of that discussion/conversation at the blueprint for federation.

For the Essex and Folsom releases of OpenStack, the identity service (Keystone) has a mechanism for writing an identity "plugin" by subclassing and implementing from Driver (in https://github.com/openstack/keystone/blob/master/keystone/identity/core.py). Examples of this can be found in the back-ends provided with the project at https://github.com/openstack/keystone/tree/master/keystone/identity/backends.

I'm afraid the specific documentation and example on making a custom identity backend isn't there, but has been done - there's a gist with a sample hybrid SQL/LDAP backend at https://gist.github.com/3176390

Extending this a bit for DeLac's extension:

Keystone provides a set of information specific to OpenStack that is a bit more detailed than basic authentication - most specifically it includes the idea of a project or tenant, and if the user is authorized against that project or tenant. When keystone provides a token credential that's used with other OpenStack projects, those projects can query back to Keystone to determine these additional details to provide enforcement of authorization policies.

If you want to plug in another or alternative authentication mechanism to back Keystone (such as a federated identity provider), as of the Folsom release you do so by creating a Keystone identity backend that can authenticate against your specific provider, and also does whatever business logic you deem appropriate to provide information about the user and how it's associated to projects and what roles that user has to each project.

All of keystone could be modified to use SAML or other variations of this scheme, but it would be a whole-sale replacement of many components, not just a plug-in upgrade of authentication in that case. Some efforts are underway to make that a bit easier (in particular, enabling PKI based authentication instead of simple tokens), but anything significant in that fashion would be quite an undertaking. That said, Keystone and the other OpenStack components have reasonably well defined APIs and interfaces they're using, so it's not an impossible task.

heckj
  • 7,136
  • 3
  • 39
  • 50
  • anyway... i don't have to substitute keystone, but i should implement a plugin that communicates with it, without modifying it. Is it right? – DeLac Oct 05 '12 at 13:32
  • an osservation... in this situation app<-->keystone<-->saml_framew all the apps continue to communicate to keystone, without modifying the structure, but keystone doesn't return a SAML token... if i modify keystone to return saml token, i should re-modify each next version of openstack.. is there an escape :) ? – DeLac Oct 08 '12 at 10:30