yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #77009
[Bug 1816059] [NEW] RFE: Native SAML Support
Public bug reported:
Currently, keystone relies heavily on web server plugins to parse and
validate SAML assertions from external identity providers. The cost of
not having this support natively in keystone is that it makes federation
harder to set up for operators, and limits the usability of the feature
as a whole. For example, setting up new identity providers for
federation requires restarting web server processes, which isn't
something we expect operators to their customers do freely.
With native SAML support, we could
- Reduce the number of mappings required to configure federation (e.g., we wouldn't need a mapping for Apache plugins and an internal mapping in keystone)
- Setting up new trusted identity providers could be customer driven (e.g., a domain administrator could be given access to APIs that allow them to set up an identity provider for their domain, as opposed to filing a request ticket for a system administrator)
- Setting up federated identity, in general, would be simpler
** Affects: keystone
Importance: Wishlist
Status: Triaged
** Tags: federation
** Changed in: keystone
Status: New => Triaged
** Changed in: keystone
Importance: Undecided => Wishlist
** Tags added: federation
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1816059
Title:
RFE: Native SAML Support
Status in OpenStack Identity (keystone):
Triaged
Bug description:
Currently, keystone relies heavily on web server plugins to parse and
validate SAML assertions from external identity providers. The cost of
not having this support natively in keystone is that it makes
federation harder to set up for operators, and limits the usability of
the feature as a whole. For example, setting up new identity providers
for federation requires restarting web server processes, which isn't
something we expect operators to their customers do freely.
With native SAML support, we could
- Reduce the number of mappings required to configure federation (e.g., we wouldn't need a mapping for Apache plugins and an internal mapping in keystone)
- Setting up new trusted identity providers could be customer driven (e.g., a domain administrator could be given access to APIs that allow them to set up an identity provider for their domain, as opposed to filing a request ticket for a system administrator)
- Setting up federated identity, in general, would be simpler
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1816059/+subscriptions