Federated Keystone

Einige wichtige Definitionen:

Service Provider (SP)

Eine Systementität, die Dienste für Principals oder andere Systementitäten bereitstellt, in diesem Fall ist OpenStack Identity der Service Provider.

Identity Provider (IdP)

Ein Verzeichnisdienst wie LDAP, RADIUS und Active Directory, der es Benutzern ermöglicht, sich mit einem Benutzernamen und Passwort anzumelden, ist eine typische Quelle von Authentifizierungs-Token (z.B. Passwörter) unter:term:identity provider.

Federated Identity is a mechanism to establish trusts between IdPs and SPs, in this case, between Identity Providers and the services provided by an OpenStack Cloud. It provides a secure way to use existing credentials to access cloud resources such as servers, volumes, and databases, across multiple endpoints. The credential is maintained by the user’s IdP.

Warum Föderierte Identität?

Two underlying reasons:

  1. Reduced complexity makes your deployment easier to secure.

  2. It saves time for you and your users.

  • Centralize account management to prevent duplication of effort inside OpenStack infrastructure.

  • Reduce burden on users. Single sign on lets a single authentication method be used to access many different services & environments.

  • Move responsibility of password recovery process to IdP.

Futher justification and details can be found in Keystone’s documentation on federation.