Skip to content

Federated Identity Management

aboschke edited this page Dec 17, 2018 · 10 revisions

Non-federated Users

This diagram depicts how local users outside the Aristotle federation can log into the Openstack cloud using a LDAP-integrated Openstack user domain:

Non-Federated User Login

See the Integrate Identity back end with LDAP section of this page for instructions for setting up an LDAP-integrated domain in Openstack.

Federated Login

To enable users from Aristotle federation to access the cloud, we need to:

  1. Authenticate users using Globus Auth, and
  2. Grant access according to the authenticated identity

Authentication

Follow instructions on the Configure Openstack for Single Sign On with Globus page to configure Horizon to accept web single sign with Globus Auth.

Access Management

Option 1: Integrate with Backend Directory

This option takes the Aristotle user account info from the Aristotle portal and creates the users and groups/projects in the backend Active Directory/LDAP server. Then generate the required Openstack mapping (see here) by querying the Active Directory/LDAP server.

The additional complexities over Option 2 enable:

  1. Local Active Directory/LDAP can manage non-local users from the Aristotle Federation,
  2. If the Local Active Directory/LDAP has the required Globus subs, all (local and federation) users can use Globus Auth to log in, and
  3. Users can access all their local and Aristotle projects in Horizon, regardless which authenticate mechanism (LDAP or Globus) is used.

Integrate with Backend Directory

Option 2: Integrate with Cloud Only

This option simply generates the required Openstack mapping (see here) from the Aristotle portal's account info. The local backend Active Directory/LDAP can be left untouched.

Integrate with Cloud Only