Brussels / 30 & 31 January 2016


Federated identity in OpenStack

When you can't list your users

Federation was introduced in OpenStack release "Juno", but is still an interesting topic and is still being developed. Even more, we want to make federation the first-class citizen in OpenStack Keystone. This talk will give an overview of why one would use federated identity for his cloud.

Although Keystone implements Identity API, it doesn't try to be a user management tool and encourages administrators to manage users with existing fully-fledged tools. Federation allows users to authenticate with their username and password at a trusted identity provider, get a token from it and use it to authenticate in Keystone, while Keystone stores information about the user neither in database, nor in LDAP.

In the talk I will tell about history of identity federation in OpenStack keystone, about who uses it, about existing problems, about general architecture and features.


Photo of Boris Bobrov Boris Bobrov