Enabling the Federation ExtensionΒΆ

To enable the federation extension:

  1. Add the federation extension driver to the [federation] section in keystone.conf. For example:

    [federation]
    driver = keystone.contrib.federation.backends.sql.Federation
    
  2. Add the saml2 authentication method to the [auth] section in keystone.conf:

    [auth]
    methods = external,password,token,saml2
    saml2 = keystone.auth.plugins.mapped.Mapped
    

Note

The external method should be dropped to avoid any interference with some Apache + Shibboleth SP setups, where a REMOTE_USER env variable is always set, even as an empty value.

  1. Add the federation_extension middleware to the api_v3 pipeline in keystone-paste.ini. This must be added after json_body and before the last entry in the pipeline. For example:

    [pipeline:api_v3]
    pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth xml_body_v3 json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension service_v3
  2. Create the federation extension tables if using the provided SQL backend. For example:

    ./bin/keystone-manage db_sync --extension federation
  3. As of the Juno release, multiple Keystone deployments can now be federated. To do so, the pysaml2 library is required. Since OS-FEDERATION is an extension, pysaml2 is not installed by default, it must be installed manually. For example:

    pip install --upgrade $(grep pysaml2 test-requirements.txt)

Previous topic

Enabling the Endpoint Policy Extension

Next topic

Enabling the OAuth1 Extension

This Page