Ask Your Question

keystone and saml, shibboleth

asked 2012-03-16 14:58:00 -0500

dejw-f gravatar image

Short question - is it possible to support shibboleth in keystone somehow? If not - what should be done in short to add this somehow if we would like to implement such functionality. Is there any document describing how to extend keystone with other authentication/authorization technologies? Or maybe do you plan to add this? If yes then when it is expected?

Best regards, Dawid Szejnfeld

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2012-03-23 17:55:50 -0500

heckj gravatar image

updated 2014-07-17 16:16:26 -0500

smaffulli gravatar image

It's totally possible - the internal design of keystone is set around having configurable backends for each of the core components within Keystone. There's an abstract base class in each of those internal services (identity, token, catalog, etc) that you can subclass and create your own configurable backend to any existing system.

For identity, take a look at the class Driver in You can see how we've done it for some of the simple backends in keystone/identity/backends/*

edit flag offensive delete link more

answered 2013-07-18 17:20:15 -0500

Hy, i am interested to make an authentication module on Keystone using SAML2.

I read that havana-2 will have the saml2 module. This news is true? How can use this feature? I could test this new functionality!

I am developing an authentication plug-in in python code in Eclipse IDE. I have imported into eclipse the Keystone project from this link: ( Is not havana-2 but grizzly, of course!!!

Is possible to use new release of keystone and make a saml authentication?

When the user try the access the sistem will check into Keystone, if he not exists than check into my "saml-db".

Therefore I need to ask to my "user-Saml-db" if the user exist by saml method passing by Keystone.

Once the user is authenticated in my db, Keystone have a synchronization mechanism for the next authentication? In the sense: has an automatic mechanism to sync Keystone db with my SAML-db?

Thanks, regards Pasquale

edit flag offensive delete link more


This doesn't seem to be an answer. Please read to learn how to use this site.

smaffulli gravatar imagesmaffulli ( 2014-07-17 16:15:49 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2012-03-16 14:58:00 -0500

Seen: 267 times

Last updated: Jul 17 '14