Yan0S Keystone Saml Mellon

Federated identity with SAML via Mellon Service Provider

The main goal of this charm is to generate the necessary configuration for use in the Keystone charm related to Service Provider config generation, trust establishment between a remote idP and SP via certificates and signaling Keystone service restart. Keystone has a concept of a federated backend which serves multiple purposes including being a backend part of a Service Provider in an authentication scenario where SAML is used. Unless ECP is used on a keystone client side, SAML-related exchange is performed in an Apache authentication module (Mellon in case of this charm) and SAML assertions are converted to WSGI environment variables passed down to a particular mod_wsgi interpreter running Keystone code. Keystone has an authentication plug-in called "mapped" which does the rest of the work of resolving symbolic attributes and using them in mappings defined by an operator or validating the existence of referenced IDs.