diff options
Diffstat (limited to 'keystone-moon/doc/source/mapping_combinations.rst')
| -rw-r--r-- | keystone-moon/doc/source/mapping_combinations.rst | 65 |
1 files changed, 59 insertions, 6 deletions
diff --git a/keystone-moon/doc/source/mapping_combinations.rst b/keystone-moon/doc/source/mapping_combinations.rst index 9aa411ad..1b275a4a 100644 --- a/keystone-moon/doc/source/mapping_combinations.rst +++ b/keystone-moon/doc/source/mapping_combinations.rst @@ -206,12 +206,12 @@ In ``<other_condition>`` shown below, please supply one of the following: { "user": { "name": "{0}" - }, - "groups": { - "name": "{1}", - "domain": { - "id": "0cd5e9" - } + } + }, + { + "groups": "{1}", + "domain": { + "id": "0cd5e9" } } ], @@ -594,4 +594,57 @@ global username mapping. ] } +Keystone to Keystone +-------------------- + +Keystone to Keystone federation also utilizes mappings, but has some +differences. + +An attribute file (``/etc/shibboleth/attribute-map.xml``) is used to add +attributes to the Keystone Identity Provider. Attributes look as follows: + +.. code-block:: xml + + <Attribute name="openstack_user" id="openstack_user"/> + <Attribute name="openstack_user_domain" id="openstack_user_domain"/> + +The Keystone Service Provider must contain a mapping as shown below. +``openstack_user``, and ``openstack_user_domain`` match to the attribute +names we have in the Identity Provider. It will map any user with the name +``user1`` or ``admin`` in the ``openstack_user`` attribute and +``openstack_domain`` attribute ``default`` to a group with id ``abc1234``. + +.. code-block:: javascript + + { + rules = [ + { + "local": [ + { + "group": { + "id": "abc1234" + } + } + ], + "remote": [ + { + "type": "openstack_user", + "any_one_of": [ + "user1", + "admin" + ] + }, + { + "type":"openstack_user_domain", + "any_one_of": [ + "Default" + ] + } + ] + } + ] + } +The possible attributes that can be used in a mapping are `openstack_user`, +`openstack_user_domain`, `openstack_roles`, `openstack_project`, and +`openstack_project_domain`. |