Federated Identity Management
Pages 9
Clone this wiki locally
Non-federated Users
This diagram depicts how local users outside the Aristotle federation can log into the Openstack cloud using a LDAP-integrated Openstack user domain:
See the Integrate Identity back end with LDAP
section of this page for instructions for setting up an LDAP-integrated domain in Openstack.
Federated Login
To enable users from Aristotle federation to access the cloud, we need to:
- Authenticate users using Globus Auth, and
- Grant access according to the authenticated identity
Authentication
Follow instructions on the Configure Openstack for Single Sign On with Globus page to configure Horizon to accept web single sign with Globus Auth.
Access Management
Option 1: Integrate with Backend Directory
This option takes the Aristotle user account info from the Aristotle portal and creates the users and groups/projects in the backend Active Directory/LDAP server. Then generate the required Openstack mapping (see here) by querying the Active Directory/LDAP server.
The additional complexities over Option 2 enable:
- Local Active Directory/LDAP can manage non-local users from the Aristotle Federation,
- If the Local Active Directory/LDAP has the required Globus subs, all (local and federation) users can use Globus Auth to log in, and
- Users can access all their local and Aristotle projects in Horizon, regardless which authenticate mechanism (LDAP or Globus) is used.
Option 2: Integrate with Cloud Only
This option simply generates the required Openstack mapping (see here) from the Aristotle portal's account info. The local backend Active Directory/LDAP can be left untouched.