On 11/14/2014 09:32 AM, Don Waterloo wrote:
I have a system (juno/ubuntu 14.10) which currently has keystone as
the master of the
universe for identity and authentication.
By convention, each user of my system is also a tenant, which is my
intent to continue.
My system is used by a combination of our team members, but also by
3rd parties
(e.g. we use it for training on our products).
I would like to make our saml system authoritative for identity/auth
for the
team members, but leave keystone authoritative for 3rd parties.
Is there any documentation on someone who has such a system, or, is there
any recommended best practises to follow?
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
So the intent is to split things up by domain. I would say that your
existing users should be in one domain (or multiple if they are
already) and Federated/SAML users would go into....limbo today, as
federated users are kindof domainless. I'd like to fix that (each IdP
has a minimum of one domain).
The term "tenant" is kindof confusing here. I think what you are saying
is that each user of your system gets a default project autoprovisioned
for them. With Federation, you have to make sure you don't provision
for users with Valid Federated Identities but no real relationship to
your Cloud deployment.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
