Federated keystone identity provides a mechanism for end users to use existing credentials maintained by an organization's own identity provider. FreeIPA is an Identity and Authentication management solution. In this presentation, we describe integrating keystone with FreeIPA as the backend identity provider using OpenID Connect as the federation protocol. This setup eases the burden of user account administration within OpenStack providing users access to the Horizon dashboard and OpenStackClient tools using existing FreeIPA credentials. We describe the development of a self service web portal for users to manage an API key, a new authentication plugin for keystone, and integrating an OAuth2/OpenID consent endpoint for FreeIPA. Access control is provided by a custom ACL extension in the federated keystone driver pulling groups and projects directly from FreeIPA. This work is supported by Aristotle, a NSF DIBBs funded federated cloud consortium and SUNY at Buffalo's LakeEffect cloud.
After attending this presentation, operators of OpenStack clouds will learn about the deployment and configuration of federated keystone identity using an existing identity provider based on FreeIPA. The challenges of integrating federated logins with the OpenStackClient tools are discussed along with a custom solution based on a self service web portal that integrates with FreeIPA and OAuth2/OpenID connect. Attendees will also learn about the configuration of ACLs providing fine grained access to cloud resources using a newly developed keystone plugin.
