On 11/09/2013 22:05, Adam Young wrote:
What's the use case for including providers in the service catalog?
i.e. why do Identity API clients need to be aware of the Identity
Providers?
In the federation protocol API, the user can specify the IdP that they
are using. Keystone needs to know what are the set of acceptable IdPs,
somehow. The first thought was reuse of the Service catalog.
It probably makes sense to let an administrator enumerate the IdPs
registered with Keystone, and what protocol each supports.
There are several reasons why Keystone needs to be aware of which IDPs
are out there.
1. Trust. Keystone administrators will only trust a subset of available
IDPs, and this information needs to be configured into Keystone in some way
2. Discovery. Keystone needs to be able to discover details of which
IDPs are trusted and how to contact them (meta data). This needs to be
configured into Keystone somehow
3. Helping the user. The user might needs to know which IdPs it can use
and which it cannot, so Keystone may need to provide the user with a
list of IdPs to choose from.
Using the service catalog to hold the above information was a pragmatic
implementation decision that Kent made. What is conceptually needed is a
directory service that Keystone can contact to find out the required
information. So we should design federated keystone to have a directory
service interface, and then implementors may choose to use the service
catalog or something else to fulfil this function
regards
David
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
