Vancouver, BC
May 21-24, 2018

Event Details


Federated Keystone Single Sign-On with FreeIPA and OpenID Connect

Federated keystone identity provides a mechanism for end users to use existing credentials maintained by an organization's own identity provider. FreeIPA is an Identity and Authentication management solution. In this presentation, we describe integrating keystone with FreeIPA as the backend identity provider using OpenID Connect as the federation protocol. This setup eases the burden of user account administration within OpenStack providing users access to the Horizon dashboard and OpenStackClient tools using existing FreeIPA credentials. We describe the development of a self service web portal for users to manage an API key, a new authentication plugin for keystone, and integrating an OAuth2/OpenID consent endpoint for FreeIPA. Access control is provided by a custom ACL extension in the federated keystone driver pulling groups and projects directly from FreeIPA. This work is supported by Aristotle, a NSF DIBBs funded federated cloud consortium and SUNY at Buffalo's LakeEffect cloud.


What can I expect to learn?

After attending this presentation, operators of OpenStack clouds will learn about the deployment and configuration of federated keystone identity using an existing identity provider based on FreeIPA. The challenges of integrating federated logins with the OpenStackClient tools are discussed along with a custom solution based on a self service web portal that integrates with FreeIPA and OAuth2/OpenID connect. Attendees will also learn about the configuration of ACLs providing fine grained access to cloud resources using a newly developed keystone plugin.

Monday, May 21, 3:10pm-3:50pm
Difficulty Level: Intermediate
Scientific Programmer
Martins Innus is a Scientific Programmer at the Center for Computation Research (CCR) at the University at Buffalo (UB).  He writes software for HPC monitoring and performance measurement.  He has also been deeply involved in the deployment, testing and integration of the OpenStack installation at CCR. FULL PROFILE
Senior Programmer Analyst
As a software engineer and system administrator at the Center for Computational Research, Mr. Bruno administers high performance Linux based compute clusters spanning thousands of nodes. He develops and supports the infrastructure to perform automated software installations, maintain user account management systems, and system monitoring tools for tracking resource utilization and energy... FULL PROFILE