Skip to content

Setup the Keystone Federation Plugin

Create the domain

openstack --os-cloud default domain create rackspace_cloud_domain

Create the identity provider

openstack --os-cloud default identity provider create --remote-id rackspace --domain rackspace_cloud_domain rackspace

Create the mapping for our identity provider

You're also welcome to generate your own mapping to suit your needs; however, if you want to use the example mapping (which is suitable for production) you can.

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                    "email": "{1}"
                }
            },
            {
                "projects": [
                    {
                        "name": "{2}_Flex",
                        "roles": [
                            {
                                "name": "member"
                            },
                            {
                                "name": "load-balancer_member"
                            },
                            {
                                "name": "heat_stack_user"
                            }
                        ]
                    }
                ]
            }
        ],
        "remote": [
            {
                "type": "RXT_UserName"
            },
            {
                "type": "RXT_Email"
            },
            {
                "type": "RXT_TenantName"
            },
            {
                "type": "RXT_orgPersonType",
                "any_one_of": [
                    "admin",
                    "default",
                    "user-admin",
                    "tenant-access"
                ]
            }
        ]
    }
]

Tip

The example mapping JSON file can be found within the genestack repository at etc/keystone/mapping.json.

Now register the mapping within Keystone.

openstack --os-cloud default mapping create --rules /tmp/mapping.json rackspace_mapping

Create the federation protocol

openstack --os-cloud default federation protocol create rackspace --mapping rackspace_mapping --identity-provider rackspace