Federated keystone


サービスプロバイダー (SP)

サービスにプリンシパルや他のシステムエンティティーを提供する、システムエンティティー。この場合、OpenStack Identity がサービスプロバイダーです。

Identity Provider (IdP)

ユーザーがユーザー名とパスワードを用いてログインできるようにする、ディレクトリーサービス。LDAP、RADIUS、Active Directory など。 :term:`認証プロバイダー <identity provider>`において認証トークン (パスワードなど) の一般的な情報源になる。

Federated Identity is a mechanism to establish trusts between IdPs and SPs, in this case, between Identity Providers and the services provided by an OpenStack Cloud. It provides a secure way to use existing credentials to access cloud resources such as servers, volumes, and databases, across multiple endpoints. The credential is maintained by the user's IdP.


Two underlying reasons:

  1. Reduced complexity makes your deployment easier to secure.

  2. It saves time for you and your users.

  • Centralize account management to prevent duplication of effort inside OpenStack infrastructure.

  • Reduce burden on users. Single sign on lets a single authentication method be used to access many different services & environments.

  • Move responsibility of password recovery process to IdP.

Futher justification and details can be found in Keystone's documentation on federation.