Public bug reported:
It is currently possible for an IdP to specify multiple values in an
assertion (e.g., for groups a user is a member of) and have each of
those values mapped to an individual entities. This allows to map a user
into multiple Keystone groups. However, this functionality does not yet
exist for the auto-provisioned Keystone projects. This RFE is for
extending this functionality so that multiple projects can be
provisioned if they are being mapped from a multi-value assertion.
Consider that a user is a member of several groups in the IdP, and you
want to provision one Keystone project per group. That is currently not
supported, though it is very similar to the group functionality.
This can be extended to project roles as well, though there will be a
limitation: since the roles themselves are not auto-provisioned, they
must already exist when the assertion is mapped. If the roles did exist,
though, the mapping would work fine.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1878496
Title:
RFE: Support for direct-mapping auto-provisioned project/role names
Status in OpenStack Identity (keystone):
New
Bug description:
It is currently possible for an IdP to specify multiple values in an
assertion (e.g., for groups a user is a member of) and have each of
those values mapped to an individual entities. This allows to map a
user into multiple Keystone groups. However, this functionality does
not yet exist for the auto-provisioned Keystone projects. This RFE is
for extending this functionality so that multiple projects can be
provisioned if they are being mapped from a multi-value assertion.
Consider that a user is a member of several groups in the IdP, and you
want to provision one Keystone project per group. That is currently
not supported, though it is very similar to the group functionality.
This can be extended to project roles as well, though there will be a
limitation: since the roles themselves are not auto-provisioned, they
must already exist when the assertion is mapped. If the roles did
exist, though, the mapping would work fine.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1878496/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
