Direct users mapping using group ids

bp federation-group-ids-mapped-without-domain-reference

Allow user mapping using group ids without domain reference.

Problem Description

Today, it’s possible to provide a list of group names to Keystone via the Identity Provider. However, a Domain must provided to map those groups. In the eventuality of the Identity Provider having the reference to the group ids, Keystone should be able to map those groups directly, without a domain reference.

Proposed Change

Keystone accepts group ids without any domain reference. The mapping should include a new rule named group_ids, and the list of group ids should be provided by the Identity Provider. Example of local rule specifying group_ids:

"local": [
    {
        "user": {
            "name": "{0}"
        },
    },
    {
        "group_ids": "{1}"
    }
]

As usual, an unscoped federated token will be issued.

Alternatives

None.

Security Impact

None.

Notifications Impact

None.

Other End User Impact

None.

Performance Impact

None.

Other Deployer Impact

None.

Developer Impact

None.

Implementation

Assignee(s)

Primary assignee:

Olivier Pilotte (opilotte)

Other assignees:

Work Items

  • Accepts Group IDs from the IdP without domain reference

Dependencies

None.

Documentation Impact

All the changes must be reflected in the documentation.

References

Accepts Group IDs from the IdP without domain - https://review.openstack.org/#/c/210581/