[openstack-dev] [keystone] Single Sign On integration research

2016-03-08 Thread Kseniya Tychkova 
Hi,
as you may know currently Keystone supports Single Sign-On (SSO) and as I
think it is one of the most interesting features in Keystone.
I've done research on Single Sign-On in Keystone. Practically I just tried
to set up Keystone in 2 different configuration.
As a result of my research I have 2 blog posts and I would like to share
links with you:

*1. Keystone Service Provider with Shibboleth Identity Provider (WebSSO
profile)
*:

( http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html )
Post describes how to step-by-step deploy Shibboleth Identity Provider with
Keystone Service Provider.
This configuration is interesting because you can easily replace Shibboleth
Identity Provider
with any other Identity Provider with SAML support.
So it is, I think, most popular use case for SSO in Keystone.


*2. How to setup Keystone with Shibboleth (ECP profile):
*(
http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html
)
Post describes how to deploy Keystone Identity Provider with Keystone
Service Provider.
It is Keystone-to-Keystone configuration and it uses ECP profile (Enhanced
Client or Proxy) of SAML Protocol.
A lot of information for this post I took from rodrigods blog (
http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo
).

I hope my posts will help you to deploy/configure SSO or at least will be
interesting to take a look at SSO feature in Keystone.

Kind regards, Kseniya
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] Single Sign On integration research

2016-03-08 Thread Jay Pipes 

Awesome blogs, Kseniya, thank you for sharing this! :)
-jay

On 03/08/2016 09:12 AM, Kseniya Tychkova wrote:

Hi,
as you may know currently Keystone supports Single Sign-On (SSO) and as
I think it is one of the most interesting features in Keystone.
I've done research on Single Sign-On in Keystone. Practically I just
tried to set up Keystone in 2 different configuration.
As a result of my research I have 2 blog posts and I would like to share
links with you:

*1. Keystone Service Provider with Shibboleth Identity Provider (WebSSO
profile)
*:

( http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html )
Post describes how to step-by-step deploy Shibboleth Identity Provider
with Keystone Service Provider.
This configuration is interesting because you can easily replace
Shibboleth Identity Provider
with any other Identity Provider with SAML support.
So it is, I think, most popular use case for SSO in Keystone.

*2. How to setup Keystone with Shibboleth (ECP profile):

*(
http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html
)
Post describes how to deploy Keystone Identity Provider with Keystone
Service Provider.
It is Keystone-to-Keystone configuration and it uses ECP profile
(Enhanced Client or Proxy) of SAML Protocol.
A lot of information for this post I took from rodrigods blog
(http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo).

I hope my posts will help you to deploy/configure SSO or at least will
be interesting to take a look at SSO feature in Keystone.

Kind regards, Kseniya


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] Single Sign On integration research

2016-03-08 Thread Adam Heczko 
Good job Kseniya :)

A.

On Tue, Mar 8, 2016 at 3:21 PM, Jay Pipes  wrote:

> Awesome blogs, Kseniya, thank you for sharing this! :)
> -jay
>
> On 03/08/2016 09:12 AM, Kseniya Tychkova wrote:
>
>> Hi,
>> as you may know currently Keystone supports Single Sign-On (SSO) and as
>> I think it is one of the most interesting features in Keystone.
>> I've done research on Single Sign-On in Keystone. Practically I just
>> tried to set up Keystone in 2 different configuration.
>> As a result of my research I have 2 blog posts and I would like to share
>> links with you:
>>
>> *1. Keystone Service Provider with Shibboleth Identity Provider (WebSSO
>> profile)
>> > >*:
>> > >
>> (
>> http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html
>> )
>> Post describes how to step-by-step deploy Shibboleth Identity Provider
>> with Keystone Service Provider.
>> This configuration is interesting because you can easily replace
>> Shibboleth Identity Provider
>> with any other Identity Provider with SAML support.
>> So it is, I think, most popular use case for SSO in Keystone.
>>
>> *2. How to setup Keystone with Shibboleth (ECP profile):
>> <
>> http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html
>> >
>> *(
>>
>> http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html
>> )
>> Post describes how to deploy Keystone Identity Provider with Keystone
>> Service Provider.
>> It is Keystone-to-Keystone configuration and it uses ECP profile
>> (Enhanced Client or Proxy) of SAML Protocol.
>> A lot of information for this post I took from rodrigods blog
>> (
>> http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo
>> ).
>>
>> I hope my posts will help you to deploy/configure SSO or at least will
>> be interesting to take a look at SSO feature in Keystone.
>>
>> Kind regards, Kseniya
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] Single Sign On integration research

2016-03-08 Thread Steve Martinelli 

Looks great! I only have one suggestion for the ECP blog. We actually have
keystoneauth plugins for ECP [1]. Instead of issuing a request in your
example, you may be able to just use the federated auth plugin.

[1]
https://github.com/openstack/keystoneauth/blob/35cad4a2ef00339eb31d80458bafaada41a5d8ce/keystoneauth1/extras/_saml2/v3/saml2.py

stevemar



From:   Adam Heczko 
To: "OpenStack Development Mailing List (not for usage questions)"

Date:   2016/03/08 03:38 PM
Subject:    Re: [openstack-dev] [keystone] Single Sign On integration
    research



Good job Kseniya :)

A.

On Tue, Mar 8, 2016 at 3:21 PM, Jay Pipes  wrote:
  Awesome blogs, Kseniya, thank you for sharing this! :)
  -jay

  On 03/08/2016 09:12 AM, Kseniya Tychkova wrote:
   Hi,
   as you may know currently Keystone supports Single Sign-On (SSO) and as
   I think it is one of the most interesting features in Keystone.
   I've done research on Single Sign-On in Keystone. Practically I just
   tried to set up Keystone in 2 different configuration.
   As a result of my research I have 2 blog posts and I would like to share
   links with you:

   *1. Keystone Service Provider with Shibboleth Identity Provider (WebSSO
   profile)
   <
   http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html
   >*:
   <
   http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html
   >
   (
   http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html
   )
   Post describes how to step-by-step deploy Shibboleth Identity Provider
   with Keystone Service Provider.
   This configuration is interesting because you can easily replace
   Shibboleth Identity Provider
   with any other Identity Provider with SAML support.
   So it is, I think, most popular use case for SSO in Keystone.

   *2. How to setup Keystone with Shibboleth (ECP profile):
   <
   
http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html
   >
   *(
   
http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html

   )
   Post describes how to deploy Keystone Identity Provider with Keystone
   Service Provider.
   It is Keystone-to-Keystone configuration and it uses ECP profile
   (Enhanced Client or Proxy) of SAML Protocol.
   A lot of information for this post I took from rodrigods blog
   (
   
http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo
   ).

   I hope my posts will help you to deploy/configure SSO or at least will
   be interesting to take a look at SSO feature in Keystone.

   Kind regards, Kseniya


   __

   OpenStack Development Mailing List (not for usage questions)
   Unsubscribe:
   openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
   http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


  __

  OpenStack Development Mailing List (not for usage questions)
  Unsubscribe:
  openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
  http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



--
Adam Heczko
Security Engineer @ Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [keystone] Single Sign On integration research

2016-03-15 Thread Rodrigo Duarte 
Awesome blog posts, thanks for sharing - these setups can be tricky
sometimes.

On Tue, Mar 8, 2016 at 11:43 AM, Steve Martinelli 
wrote:

> Looks great! I only have one suggestion for the ECP blog. We actually have
> keystoneauth plugins for ECP [1]. Instead of issuing a request in your
> example, you may be able to just use the federated auth plugin.
>
> [1]
> https://github.com/openstack/keystoneauth/blob/35cad4a2ef00339eb31d80458bafaada41a5d8ce/keystoneauth1/extras/_saml2/v3/saml2.py
>
> stevemar
>
> [image: Inactive hide details for Adam Heczko ---2016/03/08 03:38:31
> PM---Good job Kseniya :) A.]Adam Heczko ---2016/03/08 03:38:31 PM---Good
> job Kseniya :) A.
>
> From: Adam Heczko 
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev@lists.openstack.org>
> Date: 2016/03/08 03:38 PM
> Subject: Re: [openstack-dev] [keystone] Single Sign On integration
> research
> --
>
>
>
> Good job Kseniya :)
>
> A.
>
> On Tue, Mar 8, 2016 at 3:21 PM, Jay Pipes <*jaypi...@gmail.com*
> > wrote:
>
>Awesome blogs, Kseniya, thank you for sharing this! :)
>-jay
>
>On 03/08/2016 09:12 AM, Kseniya Tychkova wrote:
>Hi,
>as you may know currently Keystone supports Single Sign-On (SSO) and as
>I think it is one of the most interesting features in Keystone.
>I've done research on Single Sign-On in Keystone. Practically I just
>tried to set up Keystone in 2 different configuration.
>As a result of my research I have 2 blog posts and I would like to
>share
>links with you:
>
>*1. Keystone Service Provider with Shibboleth Identity Provider (WebSSO
>profile)
><
>*http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html*
><http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html>
>>*:
><
>*http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html*
><http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html>
>>
>(
>*http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html*
><http://xuctarine.blogspot.ru/2016/02/keystone-service-provider-with.html>
>)
>Post describes how to step-by-step deploy Shibboleth Identity Provider
>with Keystone Service Provider.
>This configuration is interesting because you can easily replace
>Shibboleth Identity Provider
>with any other Identity Provider with SAML support.
>So it is, I think, most popular use case for SSO in Keystone.
>
>*2. How to setup Keystone with Shibboleth (ECP profile):
><
>
> *http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html*
>
> <http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html>
>>
>*(
>
>
> *http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html*
>
> <http://xuctarine.blogspot.ru/2016/02/how-to-setup-keystone-with-shibboleth.html>
>)
>Post describes how to deploy Keystone Identity Provider with Keystone
>Service Provider.
>It is Keystone-to-Keystone configuration and it uses ECP profile
>(Enhanced Client or Proxy) of SAML Protocol.
>A lot of information for this post I took from rodrigods blog
>(
>
> *http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo*
>
> <http://blog.rodrigods.com/it-is-time-to-play-with-keystone-to-keystone-federation-in-kilo>
>).
>
>I hope my posts will help you to deploy/configure SSO or at least will
>be interesting to take a look at SSO feature in Keystone.
>
>Kind regards, Kseniya
>
>
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe:
>*openstack-dev-requ...@lists.openstack.org?subject:unsubscribe*
><http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
> *http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev*
><http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev>
>
>
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe:
>*openstack-dev-requ...@lists.openstack.org?subject:unsubscribe*
><http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
> *http://lists.openstack.org/cgi-bin/mailman/listin