yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1816059] [NEW] RFE: Native SAML Support

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Fri, 15 Feb 2019 15:06:54 -0000
Reply-to: Bug 1816059 <1816059@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Currently, keystone relies heavily on web server plugins to parse and
validate SAML assertions from external identity providers. The cost of
not having this support natively in keystone is that it makes federation
harder to set up for operators, and limits the usability of the feature
as a whole. For example, setting up new identity providers for
federation requires restarting web server processes, which isn't
something we expect operators to their customers do freely.

With native SAML support, we could

- Reduce the number of mappings required to configure federation (e.g., we wouldn't need a mapping for Apache plugins and an internal mapping in keystone)
- Setting up new trusted identity providers could be customer driven (e.g., a domain administrator could be given access to APIs that allow them to set up an identity provider for their domain, as opposed to filing a request ticket for a system administrator)
- Setting up federated identity, in general, would be simpler

** Affects: keystone
     Importance: Wishlist
         Status: Triaged


** Tags: federation

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Wishlist

** Tags added: federation

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1816059

Title:
  RFE: Native SAML Support

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Currently, keystone relies heavily on web server plugins to parse and
  validate SAML assertions from external identity providers. The cost of
  not having this support natively in keystone is that it makes
  federation harder to set up for operators, and limits the usability of
  the feature as a whole. For example, setting up new identity providers
  for federation requires restarting web server processes, which isn't
  something we expect operators to their customers do freely.

  With native SAML support, we could

  - Reduce the number of mappings required to configure federation (e.g., we wouldn't need a mapping for Apache plugins and an internal mapping in keystone)
  - Setting up new trusted identity providers could be customer driven (e.g., a domain administrator could be given access to APIs that allow them to set up an identity provider for their domain, as opposed to filing a request ticket for a system administrator)
  - Setting up federated identity, in general, would be simpler

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1816059/+subscriptions