can't use federated keystone token against other services

asked 2014-12-10 10:32:39 -0500

philloooo gravatar image

updated 2014-12-10 13:15:15 -0500

Hey I was testing keystone with federation in devstack, I successfully set it up with testshib idp and was able to get a federated token for a federated user(scoped either to a project or a domain depending on user's choice).The token can be validated via keystone v3/auth/tokens api. I can also use project scoped token to call nova api like '' to get flavor information. But I have no idea how should I pass the token to other services' clients and openstack CLI
I suppose the token should work with keystoneclient session, by passing the token to keystoneclient.auth.identity.v3.Token and construct a session to pass to other services.

However it report error "user not found" (as the user does not exist in keystone db) What is the correct way to do it? Or is there somewhere in other services that I should customize?

edit retag flag offensive close merge delete