Re: [openstack-dev] [Keystone][FFE] ECP wrapped assertions
++ Same here. From: Marek Denis [mailto:marek.de...@cern.ch] Sent: Tuesday, March 24, 2015 1:51 AM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Keystone][FFE] ECP wrapped assertions Hi, I strongly support this request. On 23.03.2015 22:42, Steve Martinelli wrote: I'd like to request an exemption for the following to go into the Kilo release. This work is crucial for: - Keystone to Keystone communication. An ECP wrapped SAML assertion will make it much easier for consumers and clients to use the K2K feature in Keystone. Currently, a client must take the generated SAML response and must prepare the ECP envelope themselves. This should be handled by Keystone, and not the clients. The client should be able to ask for the ECP wrapped assertion and hand it off to another Keystone. Why this needs an FFE? - To properly created an ECP wrapped a SAML assertion, a relay state property must be known, (as it's used to compute a value in an ECP specific field). This depends on how the service provider has their mod_shib configured. We will need to add a new property to the keystone resource 'service provider' - the spec change is here: https://review.openstack.org/#/c/166086/ Status of the work: - The patches necessary for this feature already and split into two patches. 1) To add a new relay_state_prefix property to the service provider resource: https://review.openstack.org/#/c/166078/ and 2) to actually use this new property in order to generate the ECP assertion: https://review.openstack.org/#/c/162866/ Thanks, Steve Martinelli OpenStack Keystone Core Marek Denis OpenStack Keystone Core __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][FFE] ECP wrapped assertions
Hi, I strongly support this request. On 23.03.2015 22:42, Steve Martinelli wrote: I'd like to request an exemption for the following to go into the Kilo release. This work is crucial for: - Keystone to Keystone communication. An ECP wrapped SAML assertion will make it much easier for consumers and clients to use the K2K feature in Keystone. Currently, a client must take the generated SAML response and must prepare the ECP envelope themselves. This should be handled by Keystone, and not the clients. The client should be able to ask for the ECP wrapped assertion and hand it off to another Keystone. Why this needs an FFE? - To properly created an ECP wrapped a SAML assertion, a relay state property must be known, (as it's used to compute a value in an ECP specific field). This depends on how the service provider has their mod_shib configured. We will need to add a new property to the keystone resource 'service provider' - the spec change is here: https://review.openstack.org/#/c/166086/ Status of the work: - The patches necessary for this feature already and split into two patches. 1) To add a new relay_state_prefix property to the service provider resource: https://review.openstack.org/#/c/166078/and 2) to actually use this new property in order to generate the ECP assertion: https://review.openstack.org/#/c/162866/ Thanks, Steve Martinelli OpenStack Keystone Core Marek Denis OpenStack Keystone Core __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Keystone][FFE] ECP wrapped assertions
I'd like to request an exemption for the following to go into the Kilo release. This work is crucial for: - Keystone to Keystone communication. An ECP wrapped SAML assertion will make it much easier for consumers and clients to use the K2K feature in Keystone. Currently, a client must take the generated SAML response and must prepare the ECP envelope themselves. This should be handled by Keystone, and not the clients. The client should be able to ask for the ECP wrapped assertion and hand it off to another Keystone. Why this needs an FFE? - To properly created an ECP wrapped a SAML assertion, a relay state property must be known, (as it's used to compute a value in an ECP specific field). This depends on how the service provider has their mod_shib configured. We will need to add a new property to the keystone resource 'service provider' - the spec change is here: https://review.openstack.org/#/c/166086/ Status of the work: - The patches necessary for this feature already and split into two patches. 1) To add a new relay_state_prefix property to the service provider resource: https://review.openstack.org/#/c/166078/ and 2) to actually use this new property in order to generate the ECP assertion: https://review.openstack.org/#/c/162866/ Thanks, Steve Martinelli OpenStack Keystone Core__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev