1

I am trying to understand direct mapping on OpenStack. I want to map a user to a domain other than Federated domain. But I always get user mapped to Federated domain. Here follows the link for direct mapping that I am using:

https://specs.openstack.org/openstack/keystone-specs/specs/kilo/federated-direct-user-mapping.html

Here follows the rule for mapping that I am using:

[
  {
    "local": [
      {
        "user": {
          "name": "{0}",
          "domain": {"name": "Default"}
        }
      },
      {
        "group": {
          "id": "GROUP_ID"
        }
      }
    ],
    "remote": [
      {
        "type": "HTTP_OIDC_SUB"
      }
    ]
  }
]

I have configured OpenID connect Idp for federation.

Could someone help me how I can do direct mapping to map a federated user to a domain other than Federated ?

Rahn
  • 4,787
  • 4
  • 31
  • 57
Spsingh
  • 11
  • 2

1 Answers1

0

the only way I've been able to get it to not be in the 'Federate' domain, is to force the user to be of type local, but then they need to exist in the backend (SQL/LDAP).

[
  {
    "local": [
      {
        "user": {
          "name": "{0}",
          "type": "local",
          "domain": {"name": "Default"}
        }
      },
      {
        "group": {
          "id": "GROUP_ID"
        }
      }
    ],
    "remote": [
      {
        "type": "HTTP_OIDC_SUB"
      }
    ]
  }
]

The following bit of code in keystone is the culprit for doing this:

   if user_type is None:
        user_type = user['type'] = UserType.EPHEMERAL

    if user_type == UserType.EPHEMERAL:
        user['domain'] = {
            'id': CONF.federation.federated_domain_name
        }

It Basically overrides the domain to a pre-configured domain if your user doesn't have a type, or is ephemeral.

Stefan Coetzee
  • 1