Workflow logic for the Federation service.
Bases: keystone.auth.controllers.Auth
Exchange a scoped token for an ECP assertion.
Parameters: | auth – Dictionary that contains a token and service provider ID |
---|---|
Returns: | ECP Assertion based on properties from the token |
Exchange a scoped token for a SAML assertion.
Parameters: | auth – Dictionary that contains a token and service provider ID |
---|---|
Returns: | SAML Assertion based on properties from the token |
Bases: keystone.common.controller.V3Controller
List all domains available to an authenticated user.
Parameters: | context – request context |
---|---|
Returns: | list of accessible domains |
Bases: keystone.federation.controllers._ControllerBase
A federation protocol representation.
See keystone.common.controller.V3Controller docstring for explanation on _public_parameters class attributes.
Bases: keystone.federation.controllers._ControllerBase
Identity Provider representation.
Bases: keystone.federation.controllers._ControllerBase
Bases: keystone.common.controller.V3Controller
List all projects available to an authenticated user.
Parameters: | context – request context |
---|---|
Returns: | list of accessible projects |
Bases: keystone.federation.controllers._ControllerBase
Main entry point into the Federation service.
Bases: keystone.federation.backends.base.FederationDriverBase
Bases: keystone.common.manager.Manager
Default pivot point for the Federation backend.
See keystone.common.manager.Manager for more details on how this dynamically calls the backend.
List enabled service providers for Service Catalog.
Service Provider in a catalog contains three attributes: id, auth_url, sp_url, where:
Returns: | list of dictionaries with enabled service providers |
---|---|
Return type: | list of dicts |
Bases: keystone.federation.backends.base.V9FederationWrapperForV8Driver
Bases: object
A class for generating an ECP assertion.
Bases: object
A class for generating SAML IdP Metadata.
Generate Identity Provider Metadata.
Generate and format metadata into XML that can be exposed and consumed by a federated Service Provider.
Returns: | XML <EntityDescriptor> object. |
---|---|
Raises keystone.exception.ValidationError: | |
If the required config options aren’t set. |
Bases: object
A class to generate SAML assertions.
Convert Keystone attributes to a SAML assertion.
Parameters: |
|
---|---|
Returns: | XML <Response> object |
Bases: keystone.common.wsgi.RoutersBase
API Endpoints for the Federation extension.
The API looks like:
PUT /OS-FEDERATION/identity_providers/{idp_id}
GET /OS-FEDERATION/identity_providers
GET /OS-FEDERATION/identity_providers/{idp_id}
DELETE /OS-FEDERATION/identity_providers/{idp_id}
PATCH /OS-FEDERATION/identity_providers/{idp_id}
PUT /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols
GET /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PATCH /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
DELETE /OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}
PUT /OS-FEDERATION/mappings
GET /OS-FEDERATION/mappings
PATCH /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/mappings/{mapping_id}
DELETE /OS-FEDERATION/mappings/{mapping_id}
GET /OS-FEDERATION/projects
GET /OS-FEDERATION/domains
PUT /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/service_providers
GET /OS-FEDERATION/service_providers/{sp_id}
DELETE /OS-FEDERATION/service_providers/{sp_id}
PATCH /OS-FEDERATION/service_providers/{sp_id}
GET /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
POST /OS-FEDERATION/identity_providers/{idp_id}/
protocols/{protocol_id}/auth
GET /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/identity_providers/
{idp_id}/protocols/{protocol_id}/websso
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/saml2
POST /auth/OS-FEDERATION/saml2/ecp
GET /OS-FEDERATION/saml2/metadata
GET /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
POST /auth/OS-FEDERATION/websso/{protocol_id}
?origin=https%3A//horizon.example.com
Utilities for Federation Extension.
Bases: object
An abstraction around the remote matches.
Each match is treated internally as a list.
Bases: object
A class to process assertions and mapping rules.
Transform assertion to a dictionary.
The dictionary contains mapping of user name and group ids based on mapping rules.
This function will iterate through the mapping rules to find assertions that are valid.
Parameters: | assertion_data (dict) – an assertion containing values from an IdP |
---|
Example assertion_data:
{
'Email': 'testacct@example.com',
'UserName': 'testacct',
'FirstName': 'Test',
'LastName': 'Account',
'orgPersonType': 'Tester'
}
Returns: | dictionary with user and group_ids |
---|
The expected return structure is:
{
'name': 'foobar',
'group_ids': ['abc123', 'def456'],
'group_names': [
{
'name': 'group_name_1',
'domain': {
'name': 'domain1'
}
},
{
'name': 'group_name_1_1',
'domain': {
'name': 'domain1'
}
},
{
'name': 'group_name_2',
'domain': {
'id': 'xyz132'
}
}
]
}
Bases: object
User mapping type.
Transform groups identified by name/domain to their ids.
Function accepts list of groups identified by a name and domain giving a list of group ids in return.
Example of group_names parameter:
[
{
"name": "group_name",
"domain": {
"id": "domain_id"
},
},
{
"name": "group_name_2",
"domain": {
"name": "domain_name"
}
}
]
Parameters: |
|
---|---|
Returns: | generator object with group ids |
Raises keystone.exception.MappedGroupNotFound: | |
in case asked group doesn’t exist in the backend. |
The IdP providing the assertion should be registered for the mapping.
Iterate over group ids and make sure they are present in the backend.
This call is not transactional. :param group_ids: IDs of the groups to be checked :type group_ids: list of str
Parameters: |
|
---|---|
Raises keystone.exception.MappedGroupNotFound: | |
If the group returned by mapping was not found in the backend. |