Direct users mapping using group ids¶

bp federation-group-ids-mapped-without-domain-reference

Allow user mapping using group ids without domain reference.

Problem Description¶

Today, it’s possible to provide a list of group names to Keystone via the Identity Provider. However, a Domain must provided to map those groups. In the eventuality of the Identity Provider having the reference to the group ids, Keystone should be able to map those groups directly, without a domain reference.

Proposed Change¶

Keystone accepts group ids without any domain reference. The mapping should include a new rule named group_ids, and the list of group ids should be provided by the Identity Provider. Example of local rule specifying group_ids:

"local": [
    {
        "user": {
            "name": "{0}"
        },
    },
    {
        "group_ids": "{1}"
    }
]

As usual, an unscoped federated token will be issued.

Alternatives¶

None.

Security Impact¶

None.

Notifications Impact¶

None.

Other End User Impact¶

None.

Performance Impact¶

None.

Other Deployer Impact¶

None.

Developer Impact¶

None.

Implementation¶

Assignee(s)¶

Primary assignee:: Olivier Pilotte (opilotte)

Other assignees:

Work Items¶

Accepts Group IDs from the IdP without domain reference

Dependencies¶

None.

Documentation Impact¶

All the changes must be reflected in the documentation.

References¶

Accepts Group IDs from the IdP without domain - https://review.openstack.org/#/c/210581/

Direct users mapping using group ids

Direct users mapping using group ids¶

Problem Description¶

Proposed Change¶

Alternatives¶

Security Impact¶

Notifications Impact¶

Other End User Impact¶

Performance Impact¶

Other Deployer Impact¶

Developer Impact¶

Implementation¶

Assignee(s)¶

Work Items¶

Dependencies¶

Documentation Impact¶

References¶

Identity Specs 0.0.1.dev621

Page Contents