Federated Identity Management
This diagram depicts how local users outside the Aristotle federation can log into the Openstack cloud using a LDAP-integrated Openstack user domain:
Integrate Identity back end with LDAP section of this page for instructions for setting up an LDAP-integrated domain in Openstack.
To enable users from Aristotle federation to access the cloud, we need to:
- Authenticate users using Globus Auth, and
- Grant access according to the authenticated identity
Follow instructions on the Configure Openstack for Single Sign On with Globus page to configure Horizon to accept web single sign with Globus Auth.
Option 1: Integrate with Backend Directory
This option takes the Aristotle user account info from the Aristotle portal and creates the users and groups/projects in the backend Active Directory/LDAP server. Then generate the required Openstack mapping (see here) by querying the Active Directory/LDAP server.
The additional complexities over Option 2 enable:
- Local Active Directory/LDAP can manage non-local users from the Aristotle Federation,
- If the Local Active Directory/LDAP has the required Globus subs, all (local and federation) users can use Globus Auth to log in, and
- Users can access all their local and Aristotle projects in Horizon, regardless which authenticate mechanism (LDAP or Globus) is used.
Option 2: Integrate with Cloud Only