Hi, I currently have a lab setup using SAML2 federation with Microsoft ADFS.
The federation part itself works wonderfully. However, I'm also trying to use the new project as domains feature along with the Keystone v3 sample policy.json file for Keystone: The idea is that I should be able to map users who are in a specific group in Active Directory to the admin role in a specific domain. This should work for Keystone with the sample v3 policy (let's ignore problems with the admin role in other projects such as Nova). In this case I'm using the new project as domains feature, but I suspect that the problem would apply to regular domains as well. The mapping works properly with the important caveat that the user domain does not match the domain of the project(s) that I'm assigning the admin role to. Users who come in from Federation always belong to the "Federated" domain. This is the case even if I pre-create the users locally in a specific domain. This breaks sample v3 policy.json because the rules expect the user's domain to match the project's domain. Does anyone know if there is anyway to achieve what I'm trying to do when using Federation? Thanks in advance. -m _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators