I basically want to know if my understanding with respect to single sign-on in openstack is correct.
- End user's lands on horizon page and selects the federated flow option.
- The apache module is triggered and it transfers the user's request to the identity provider's sign-on page.
- The identity provider authenticates the user and then based on the scope of claims requested, send the user information back to keystone in the form of assertions or claims.
- These assertions or claims are then received by the apache module and transformed into HTTP headers and given to the mapping engine of keystone.
- Mapping engine then uses these HTTP headers and maps them to appropriate mapping based on protocol and identity provider and creates a token.
- This token is given to horizon and finally the user is granted access.
Could anyone please confirm if this is correct? Also apart from this i have few doubts in the steps.
- Why do we mention OIDCScope = openid ?
- What is the structure of this token exchanged between keystone and horizon.