Configuring Keystone

Identity sources

One of the most impactful decisions you’ll have to make when configuring keystone is deciding how you want keystone to source your identity data. Keystone supports several different choices that will substantially impact how you’ll configure, deploy, and interact with keystone.

You can also mix-and-match various sources of identity (see Domain-specific Configuration for an example). For example, you can store OpenStack service users and their passwords in SQL, manage customers in LDAP, and authenticate employees via SAML federation.

Summary

Feature Status LDAP OAuth v1.0a OpenID Connect REMOTE_USER SAML v2 SQL
Local authentication optional
External authentication optional
Identity management optional
PCI-DSS controls optional
Auditing optional

Details

  • Local authentication

    Status: optional.

    Notes: Authenticate with keystone by providing credentials directly to keystone.

    Driver Support:

    • LDAP: complete
    • OAuth v1.0a: complete
    • OpenID Connect: missing
    • REMOTE_USER: missing
    • SAML v2: missing
    • SQL: complete

  • External authentication

    Status: optional.

    Notes: Authenticate with keystone by providing credentials to an external system that keystone trusts (as with federation).

    Driver Support:

    • LDAP: missing
    • OAuth v1.0a: missing
    • OpenID Connect: complete
    • REMOTE_USER: complete
    • SAML v2: complete
    • SQL: missing

  • Identity management

    Status: optional.

    Notes: Create, update, enable/disable, and delete users via Keystone’s HTTP API.

    Driver Support:

    • LDAP: partial
    • OAuth v1.0a: complete
    • OpenID Connect: missing
    • REMOTE_USER: missing
    • SAML v2: missing
    • SQL: complete

  • PCI-DSS controls

    Status: optional.

    Notes: Configure keystone to enforce PCI-DSS compliant security controls.

    Driver Support:

    • LDAP: partial
    • OAuth v1.0a: missing
    • OpenID Connect: missing
    • REMOTE_USER: partial
    • SAML v2: missing
    • SQL: complete

  • Auditing

    Status: optional.

    Notes: Audit authentication flows using PyCADF.

    Driver Support:

    • LDAP: complete
    • OAuth v1.0a: missing
    • OpenID Connect: complete
    • REMOTE_USER: missing
    • SAML v2: complete
    • SQL: complete

Notes:

  • This document is a continuous work in progress