See an example of how to create the Keystone-To-Keystone federation
connection. Start with mappings for the Keystone Service
Provider.
About this task
For more information about configuring Keystone-To-Keystone federation,
see Configuring Keystone for Federation.
Procedure
- Log in to the controller node that works as the Keystone Service
Provider, and export the following environment variables.
export OS_IDENTITY_API_VERSION=3
export OS_AUTH_URL=http://os-node-fqdn:5000/v3
export OS_USERNAME=os-user-name
export OS_PASSWORD=os-password
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=os-project-name
where
the
variables represent the appropriate values
for your environment.
- Create the domain, project, and group, and assign roles
with the following command:
# openstack domain create domain-name
# openstack project create project-name --domain domain-name
# openstack group create group-name --domain domain-name
# openstack role add admin --group group-name --project project-name
where
domain-name is
the domain name,
project-name is the project name,
and
group-name is the group name.
- Create the mapping.
- Create a file named mapping with following example content:
[
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"id": "group-id"
}
}
],
"remote": [
{
"type": "openstack_user"
}
]
}
]
where
group-id is the group ID.
- Run the following command to create the mapping:
# openstack mapping create mapping-name --rules mapping
where
mapping-name is
the mapping name.
- Register the Keystone Identity
Provider, and create the federation protocol with the following command:
# openstack identity provider create provider-name
# openstack federation protocol create protocol-name --identity-provider provider-name --mapping mapping-name
where
mapping-name is
the mapping name,
provider-name is the provider
name, and
protocol-name is the protocol name.