IETF ABFAB federation¶
As of the Icehouse release, the only federation protocol that is supported is SAML, the purpose of this specification is to enable support for IETF ABFAB as a federation protocol.
An identity provider that issues and handles ABFAB requests wishes to allow its users access to an OpenStack Cloud. Currently this is not possible as the only federation protocol supported is SAML.
Create a new auth plugin or module for IETF ABFAB requests.
Re-use the mapping engine to map any IETF ABFAB attributes that are presented, into Keystone attributes.
Leverage the Moonshot implementation of ABFAB for Apache to handle the ABFAB protocol requests and responses.
python-keystoneclientwould need to be enhanced to handle ABFAB requests.
This feature should be written once the existing Federation code has been re-engineered, as to avoid unnecessary code duplication.
Patches are linked at the bottom of the spec.
Add an authentication plugin to Keystone that directly handles the ABFAB protocol. From the plugin we can send an ABFAB request to the IdP through the encrypted EAP tunnel, then handle the response within the plugin.
This will also work as ABFAB was designed to work in this mode, but it will mean that there is much more code that needs to be supported inside Keystone.
None, providing the Apache ABFAB plugin is implemented correctly and follows the IETF specifications.
Other End User Impact¶
python-keystoneclient spec should be made.
Other Deployer Impact¶
Add an Apache ABFAB/Moonshot auth plugin to handle any necessary ABFAB specific data handling created by Apache.
Extensive documentation will have to be provided to describe any new configurations necessary.