On 10/14/2013 09:56 AM, Rok Kralj wrote:
*Hello OpenStack community,*
As you might remember, some time ago we had a quick discussion about
supporting the SAML 2.0 protocol for identity management in
federations as this is the protocol of big importance in business
enterprise. At first, the discussion gained a fair amount of interest.
Just to refresh our minds, here is the reference to the discussion on
the mailing list:
http://lists.openstack.org/pipermail/openstack/2013-August/000401.html
This is not the first, nor is it the only time that SAML has been
discussed. There has been an ongoing effort toward a general approach
toward Federation, with SAML being the dominant protocol in the
space...but not the only one.
We have a Federated Identity BLueprint that we have been working on for
a long time: https://blueprints.launchpad.net/keystone/+spec/federation
Note the dependency chart at the bottom: we are not going to implement
a SAML specific solution in a vacuum, but rather integrated into a
general Federation approach.
The short of it is that a SAML assertion (or other document bearing
Authorization attributes) will be mapped to as set of the objects we
have in the Identity backend. These will be mapped to "user has role in
project" and similar authorization attributes just as the LDAP and SQL
based backend are currently mapped.
There is mod_auth_saml and other Apache based modules that we can use
for Native code. We will not be supporting custom native code in
Keystone, but we can make use of libraries that are in the major
distributions. I don't think mod_auth_saml currently meets the needs of
Keystone, any more than mod_authN_ldap would, but it is a pointer in the
right direction.
This discussion belongs on the opentack-dev, and not the general
openstack ML.
The initial manifesto
<https://blueprints.launchpad.net/keystone/+spec/virtual-idp> was
published by Joe Savak, however, it has been in a drafting stage for
quite some time now and we would like it to gain some traction on the
matter. Maybe this is the time to further discuss the overall
architecture
<https://wiki.openstack.org/wiki/File:Virtual_Identity_Providers.png>,
collecting as many opinions as possible.
Our company (XLAB) has been working on an EU funded Contrail project.
Among other things, we have worked on the components providing
discussed mechanisms, just using different technologies
(SimpleSAMLphp, a mature SAML solution, also providing a plethora of
other bindings).
We are willing to contribute our time and resources towards the
implementation of this functionality in Python if needed and working
with you on further extension of the idea. We are currently examining
these two SAML libraries that might suit our (OpenStack's) needs:
http://lasso.entrouvert.org/ (GNU GPL)
http://pythonhosted.org/authentic2/index.html (GNU AGPL 3)
However, considering the fact they are not actively developed anymore
and are in fact, quite heavy dependencies with C backed, we might be
better off writing an own, custom solution, despite the needed effort
to achieve that.
We are looking forward to your reply and to working with you,
Rok Kralj, XLAB research, Slovenia
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
