Federated keystone

いくつかの重要な定義:

サービスプロバイダー (SP)

サービスにプリンシパルや他のシステムエンティティーを提供する、システムエンティティー。この場合、OpenStack Identity がサービスプロバイダーです。

Identity Provider (IdP)

ユーザーがユーザー名とパスワードを用いてログインできるようにする、ディレクトリーサービス。LDAP、RADIUS、Active Directory など。 :term:`認証プロバイダー <identity provider>`において認証トークン (パスワードなど) の一般的な情報源になる。

Federated Identity is a mechanism to establish trusts between IdPs and SPs, in this case, between Identity Providers and the services provided by an OpenStack Cloud. It provides a secure way to use existing credentials to access cloud resources such as servers, volumes, and databases, across multiple endpoints. The credential is maintained by the user's IdP.

なぜ連合認証を使用するのか?

Two underlying reasons:

  1. Reduced complexity makes your deployment easier to secure.

  2. It saves time for you and your users.

  • Centralize account management to prevent duplication of effort inside OpenStack infrastructure.

  • Reduce burden on users. Single sign on lets a single authentication method be used to access many different services & environments.

  • Move responsibility of password recovery process to IdP.

Futher justification and details can be found in Keystone's documentation on federation.