-
Notifications
You must be signed in to change notification settings - Fork 0
Federated Identity Management
This diagram depicts how local users outside the Aristotle federation can log into the Openstack cloud using a LDAP-integrated Openstack user domain:
See the Integrate Identity back end with LDAP
section of this page for instructions for setting up an LDAP-integrated domain in Openstack.
To enable users from Aristotle federation to access the cloud, we need to:
- Authenticate users using Globus Auth, and
- Grant access according to the authenticated identity
Follow instructions on the Configure Openstack for Single Sign On with Globus page to configure Horizon to accept web single sign with Globus Auth.
This option takes the Aristotle user account info from the Aristotle portal and creates the users and groups/projects in the backend Active Directory/LDAP server. Then generate the required Openstack mapping (see here) by querying the Active Directory/LDAP server.
The additional complexities over Option 2 enable:
- Local Active Directory/LDAP can manage non-local users from the Aristotle Federation,
- If the Local Active Directory/LDAP has the required Globus subs, all (local and federation) users can use Globus Auth to log in, and
- Users can access all their local and Aristotle projects in Horizon, regardless which authenticate mechanism (LDAP or Globus) is used.
This option simply generates the required Openstack mapping (see here) from the Aristotle portal's account info. The local backend Active Directory/LDAP can be left untouched.