Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

sso concept in openstack

I basically want to know if my understanding with respect to single sign-on in openstack is correct.

  1. End user's lands on horizon page and selects the federated flow option.
  2. The apache module is triggered and it transfers the user's request to the identity provider's sign-on page.
  3. The identity provider authenticates the user and then based on the scope of claims requested, send the user information back to keystone in the form of assertions or claims.
  4. These assertions or claims are then received by the apache module and transformed into HTTP headers and given to the mapping engine of keystone.
  5. Mapping engine then uses these HTTP headers and maps them to appropriate mapping based on protocol and identity provider and creates a token.
  6. This token is given to horizon and finally the user is granted access.

Could anyone please confirm if this is correct? Also apart from this i have few doubts in the steps.

  1. Why do we mention OIDCScope = openid ?
  2. What is the structure of this token exchanged between keystone and horizon.