<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Kwss</id>
		<title>OpenStack - User contributions [en]</title>
		<link rel="self" type="application/atom+xml" href="https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Kwss"/>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/wiki/Special:Contributions/Kwss"/>
		<updated>2026-07-14T08:33:53Z</updated>
		<subtitle>User contributions</subtitle>
		<generator>MediaWiki 1.28.2</generator>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/VOManagement&amp;diff=54978</id>
		<title>Keystone/VOManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/VOManagement&amp;diff=54978"/>
				<updated>2014-06-05T12:13:42Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;h2&amp;gt;Introduction&amp;lt;/h2&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;A Virtual Organisation (VO) is a group of people who work together in a similar way to members of a real world organisation. However, in a VO the members may be a collection of users from multiple organisations who are collaborating together. Different users in the VO will typically have different access rights to the VO’s resources, so whilst they are all members of the same VO, they will typically not have the same roles within the VO.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Openstack services have the concept of groups – users can be assigned membership in a group, and a group can be granted OpenStack roles and permissions in a bulk manner. An administrator can assign users to a VO role by assigning group membership to them, and then setting the correct OpenStack roles and permissions for the group.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;VO Role Naming and VO Administration&amp;lt;/h2&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Different VOs may have the same VO role names, but these would need to be different groups in OpenStack. How is this to be implemented?&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Typically different VOs will have different administrators. We therefore need to distribute the management of VO roles (group names) to different administrators. How is this possible in OpenStack?&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;One way would be to make each VO a separate Keystone domain, and have the domain name equal to the VO name, then the group name can equal the VO role name (assuming that groups are bounded by domains). Different VO administrators can then create different groups (VO roles) within their own Keystone domains.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;If different domains is not desirable, then roles in VOs could be indicated by individual group names formulated as &amp;lt;VOname&amp;gt;.&amp;lt;RoleName&amp;gt;. If group names are not bound to domains, then group names will have to be &amp;lt;VOname&amp;gt;.&amp;lt;RoleName&amp;gt; in order to keep them globally unique.  A set of administrators for the (default) domain could be created, and users with both the admin role and &amp;lt;VOname&amp;gt;.&amp;lt;RoleName&amp;gt;  could be given administrative rights for that VO role.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;Identifying VO members&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p&amp;gt;Regardless of the way VO roles are named and managed, in a large cloud deployment with federated authentication enabled the VO administrator might not know the identifier or identity attributes issued for each VO member by their respective IdPs. Because of this we propose that a management utility should be available for administrators to organise the membership of VOs, by inviting VO members to self-register. In this way, neither the administrator nor the VO member need be aware of either the identifier or identity attributes issued to him/her by their IdP. The proposed system will take the name of the IdP and the unique ID assigned to the user by the IdP as the inputs to the mapping function, and will automatically create a mapping rule for this user.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p&amp;gt; If the VO administrator does know the identity attributes that will characterize his VO members, then he can create the mapping rules using the existing mapping API and none of this new functionality is needed.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;Proposal&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The proposed VO Management utility should consist of five categories of API functions:&lt;br /&gt;
&amp;lt;ol&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The administrator should be able to create a new VO role, list existing VO roles, and delete an existing VO role. A VO role is defined as a group name with a PIN number or password associated with it, to be used for user self-registration to the VO role. The administrator can distribute the group name and PIN/pw to proposed members of the VO role, so that they can request membership (i.e. self-register).&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The members should be able to request membership of the VO role using the PIN/pw and group name. They should also be able to request leaving any VO role they are a member of at any time (without using the PIN). In addition they should be able to list the VO roles they are a member of and also get a list of fellow members of a VO role.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The administrator should be able to view, accept and deny VO role membership requests.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;ol type=&amp;quot;a&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;View should list all outstanding membership requests.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;Accept should create a mapping rule that assigns the group to the member in question, and remove the request.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;Deny should simply delete the request.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;/ol&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The administrator should be able to remove VO role members and modify VO role memberships e.g. Change a user from VO.role1 to VO.role2. (Note. This might be available already as an existing Keystone admin operation on groups.) &amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;A user should be marked as blacklisted when he has made three attempts to join a VO role with the incorrect PIN. The administrator should be able to view blacklisted users, for all VO roles or for a single VO role, and delete them to allow them to again attempt to join VO roles.&amp;lt;/li&amp;gt;&amp;lt;/ol&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;New Entities&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h3&amp;gt;Virtual Organisation Role (VO-role)&amp;lt;/h3&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Attributes:&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;id&amp;quot; (string) The ID of the VO role&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“vo_name&amp;quot; (string) the VO role/group name&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“vo_role&amp;quot; (string) the VO role/group role&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;description&amp;quot; (string) the description of the VO role&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;group_id&amp;quot; (string, FK) The ID of the group which has this role&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;enabled&amp;quot; (boolean) Whether the VO role is active&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“pin” (string) the secret PIN for group membership&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“automatic_join” (boolean) whether users joining with a valid PIN should be joined to the VO role automatically or manually confirmed by an administrator. It should default to false (manual confirm).&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h3&amp;gt;Virtual Organisation Blacklist (VO-blacklist)&amp;lt;/h3&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Attributes: &amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;id&amp;quot; (string) The ID of the blacklist entry&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“user_id” (string) The user ID who tried to join &amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“idp” (string, FK) The IdP which authenticated the user &amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“group_id” The ID of the VO role/Group the user tried to join&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“count” The number of incorrect attempts. (max three)&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h3&amp;gt;Virtual Organisation Request (VO-request)&amp;lt;/h3&amp;gt;&lt;br /&gt;
Attributes:&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;id&amp;quot; (string) The ID of the VO join request&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“user_id” (string) The user ID who wishes to join&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“idp” (string, FK) The IdP which authenticated the user&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“group_id” The ID of the VO role/Group the user requests membership in.&amp;lt;/p&amp;gt;&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/trusted-attribute-issuing-policy&amp;diff=52765</id>
		<title>Keystone/trusted-attribute-issuing-policy</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/trusted-attribute-issuing-policy&amp;diff=52765"/>
				<updated>2014-05-20T10:23:01Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: A Trusted Attribute Issuing Policy for Federated Identity Providers&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Trusted Attribute Issuing Policy for Federated Identity Providers ==&lt;br /&gt;
&lt;br /&gt;
Only certain identity providers should be trusted to issue certain attributes, for example, a University might be able to issue a student number, but not a credit card number. In order to enforce this, we propose an API to allow administrators to set an issuing policy for an Identity Provider which denotes which attributes can be issued. Any attributes which violate the policy will be discarded before any attribute mapping takes place. There should be one policy per Identity Provider.&lt;br /&gt;
&lt;br /&gt;
There are three ways in which an attribute can be treated in the policy.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
* The attribute can be omitted from the policy completely - if this attribute is received from this Identity Provider it will be discarded.&lt;br /&gt;
* The attribute can be included with an empty list of values - any value of this attribute will be valid so if this attribute is present it will be preserved.&lt;br /&gt;
* The attribute can be included with a list of one or more values - any values not specified will be stripped from the received attribute, if no values remain the attribute will be discarded, else the attribute will be preserved with the new list of values after stripping any unspecified values.&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/VOManagement&amp;diff=49670</id>
		<title>Keystone/VOManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/VOManagement&amp;diff=49670"/>
				<updated>2014-04-22T20:47:47Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;h2&amp;gt;Introduction&amp;lt;/h2&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;A Virtual Organisation (VO) is a group of people who work together in a similar way to members of a real world organisation. However, in a VO the members may be a collection of users from multiple organisations who are collaborating together. Different users in the VO will typically have different access rights to the VO’s resources, so whilst they are all members of the same VO, they will typically not have the same roles within the VO.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Openstack services have the concept of groups – users can be assigned membership in a group, and a group can be granted OpenStack roles and permissions in a bulk manner. An administrator can create a role in a VO by assigning a group to a number of VO users and then setting the correct OpenStack roles and permissions for the group.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;VO Role Naming and VO Administration&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p&amp;gt;Typically different VOs will have different administrators. We therefore need to distribute the management of VO roles (group names) to different administrators. How is this possible in OpenStack?&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;One way would be to make each VO a separate Keystone domain, and have the domain name equal to the VO name, then the group name can equal the VO role name. Different VO administrators can then create different groups (VO roles) within their own Keystone domains.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;If different domains is not desirable, then roles in VOs could be indicated by individual group names formulated as &amp;lt;VOname&amp;gt;.&amp;lt;RoleName&amp;gt;.  A set of administrators for the (default) domain could be created, and users with both the admin role and &amp;lt;VOname&amp;gt;.&amp;lt;RoleName&amp;gt;  could be given administrative rights for that VO role.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;Identifying VO members&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p&amp;gt;Regardless of the way VO roles are named and managed, in a large cloud deployment with federated authentication enabled the VO administrator might not know the identifier or identity attributes issued for each VO member by their respective IdPs. Because of this we propose that a management utility should be available for administrators to organise the membership of VOs, by inviting VO members to self-register. In this way, neither the administrator nor the VO member need be aware of either the identifier or identity attributes issued to him/her by their IdP.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;Proposal&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The proposed VO Management utility should consist of five API functions:&lt;br /&gt;
&amp;lt;ol&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The administrator should be able to create a new VO role and delete an existing VO role. A VO role is defined as a group name with a PIN number associated with it. The administrator can distribute the group name and PIN to proposed members of the VO role, so that they can request membership (i.e. self-register).&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The members should be able to request membership of the VO role using the PIN and group name. They should also be able to request leaving any VO role they are a member of at any time (without using the PIN).&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The administrator should be able to view, accept and deny VO role membership requests.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;ol type=&amp;quot;a&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;View should list all outstanding membership requests.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;Accept should create a mapping rule that assigns the group to the member in question, and remove the request.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;Deny should simply delete the request.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;/ol&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The administrator should be able to remove VO role members and modify VO role memberships e.g. Change a user from VO.role1 to VO.role2. (Note. This might be available already as an existing Keystone admin operation on groups.) &amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;A user should be marked as blacklisted when he has made three attempts to join a VO role with the incorrect PIN. The administrator should be able to view blacklisted users, and delete them.&amp;lt;/li&amp;gt;&amp;lt;/ol&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;New Entities&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h3&amp;gt;Virtual Organisation Role (VO-role)&amp;lt;/h3&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Attributes:&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;id&amp;quot; (string) The ID of the VO role&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“vo_name&amp;quot; (string) the VO role/group name&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“vo_role&amp;quot; (string) the VO role/group role&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;description&amp;quot; (string) the description of the VO role&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;group_id&amp;quot; (string, FK) The ID of the group which has this role&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;enabled&amp;quot; (boolean) Whether the VO role is active&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“pin” (string) the secret PIN for group membership&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“automatic_join” (boolean) whether users joining with a valid PIN should be joined to the VO role automatically or manually confirmed by an administrator. It should default to false (manual confirm).&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h3&amp;gt;Virtual Organisation Blacklist (VO-blacklist)&amp;lt;/h3&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Attributes: &amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;id&amp;quot; (string) The ID of the blacklist entry&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“user_id” (string) The user ID who tried to join &amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“idp” (string, FK) The IdP which authenticated the user &amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“group_id” The ID of the VO role/Group the user tried to join&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“count” The number of incorrect attempts. (max three)&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h3&amp;gt;Virtual Organisation Request (VO-request)&amp;lt;/h3&amp;gt;&lt;br /&gt;
Attributes:&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;id&amp;quot; (string) The ID of the VO join request&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“user_id” (string) The user ID who wishes to join&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“idp” (string, FK) The IdP which authenticated the user&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“group_id” The ID of the VO role/Group the user requests membership in.&amp;lt;/p&amp;gt;&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/VOManagement&amp;diff=48842</id>
		<title>Keystone/VOManagement</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/VOManagement&amp;diff=48842"/>
				<updated>2014-04-15T22:24:50Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;h2&amp;gt;Introduction&amp;lt;/h2&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;A Virtual Organisation (VO) is a group of people who work together in a similar way to members of a real world organisation. However, in a VO the members may be a collection of users from multiple organisations who are collaborating together. Different users in the VO will typically have different access rights to the VO’s resources, so whilst they are all members of the same VO, they will typically not have the same roles within the VO.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Openstack services have the concept of groups – users can be assigned membership in a group, and a group can be granted OpenStack roles and permissions in a bulk manner. An administrator can create a role in a VO by assigning a group to a number of VO users and then setting the correct OpenStack roles and permissions for the group.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;VO Role Naming and VO Administration&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p&amp;gt;Typically different VOs will have different administrators. We therefore need to distribute the management of VO roles (group names) to different administrators. How is this possible in OpenStack?&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;One way would be to make each VO a separate Keystone domain, and have the domain name equal to the VO name, then the group name can equal the VO role name. Different VO administrators can then create different groups (VO roles) within their own Keystone domains.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;If different domains is not desirable, then roles in VOs could be indicated by individual group names formulated as &amp;lt;VOname&amp;gt;.&amp;lt;RoleName&amp;gt;.  A set of administrators for the (default) domain could be created, and users with both the admin role and &amp;lt;VOname&amp;gt;.&amp;lt;RoleName&amp;gt;  could be given administrative rights for that VO role.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;Identifying VO members&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p&amp;gt;Regardless of the way VO roles are named and managed, in a large cloud deployment with federated authentication enabled the VO administrator might not know the identifier or identity attributes issued for each VO member by their respective IdPs. Because of this we propose that a management utility should be available for administrators to organise the membership of VOs, by inviting VO members to self-register. In this way, neither the administrator nor the VO member need be aware of either the identifier or identity attributes issued to him/her by their IdP.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;Proposal&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The proposed VO Management utility should consist of five API functions:&lt;br /&gt;
&amp;lt;ol&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The administrator should be able to create a new VO role and delete an existing VO role. A VO role is defined as a group name with a PIN number associated with it. The administrator can distribute the group name and PIN to proposed members of the VO role, so that they can request membership (i.e. self-register).&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The members should be able to request membership of the VO role using the PIN and group name. They should also be able to request leaving any VO role they are a member of at any time (without using the PIN).&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The administrator should be able to view, accept and deny VO role membership requests.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;ol type=&amp;quot;a&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;View should list all outstanding membership requests.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;Accept should create a mapping rule that assigns the group to the member in question, and remove the request.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;Deny should simply delete the request.&amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;/ol&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;The administrator should be able to remove VO role members and modify VO role memberships e.g. Change a user from VO.role1 to VO.role2. (Note. This might be available already as an existing Keystone admin operation on groups.) &amp;lt;/li&amp;gt;&lt;br /&gt;
&amp;lt;li&amp;gt;A user should be marked as blacklisted when he has made three attempts to join a VO role with the incorrect PIN. The administrator should be able to view blacklisted users, and delete them.&amp;lt;/li&amp;gt;&amp;lt;/ol&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h2&amp;gt;New Entities&amp;lt;/h2&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h3&amp;gt;Virtual Organisation Role (VO-role)&amp;lt;/h3&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Attributes:&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;id&amp;quot; (string) The ID of the VO role&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“name&amp;quot; (string) the VO role/group name&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;description&amp;quot; (string) the description of the VO role&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;group_id&amp;quot; (string, FK) The ID of the group which has this role&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;enabled&amp;quot; (boolean) Whether the VO role is active&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“PIN” (string) the secret PIN for group membership&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“automatic_join” (boolean) whether users joining with a valid PIN should be joined to the VO role automatically or manually confirmed by an administrator. It should default to false (manual confirm).&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h3&amp;gt;Virtual Organisation Blacklist (VO-blacklist)&amp;lt;/h3&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;Attributes: &amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;id&amp;quot; (string) The ID of the blacklist entry&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“user_id” (string) The user ID who tried to join &amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“idp” (string, FK) The IdP which authenticated the user &amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“group_id” The ID of the VO role/Group the user tried to join&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“count” The number of incorrect attempts. (max three)&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;h3&amp;gt;Virtual Organisation Request (VO-request)&amp;lt;/h3&amp;gt;&lt;br /&gt;
Attributes:&lt;br /&gt;
&amp;lt;p&amp;gt;&amp;quot;id&amp;quot; (string) The ID of the VO join request&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“user_id” (string) The user ID who wishes to join&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“idp” (string, FK) The IdP which authenticated the user&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;p&amp;gt;“group_id” The ID of the VO role/Group the user requests membership in.&amp;lt;/p&amp;gt;&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22905</id>
		<title>Keystone/TempUserProvisioning/Blueprint</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22905"/>
				<updated>2013-05-17T12:57:32Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: /* API changes */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;=== Temporary User Provisioning in Keystone ===&lt;br /&gt;
There are many instances in which it might be beneficial to be able to create temporary user entries in Keystone. For example, guest accounts and fixed term contract employees, support for short term alliances such as Virtual Organisation, or autoprovisioning of federated users. We propose adding an expiry time to user entities, and to support this, a function to delete all expired entries. In order to support backwards compatibility, the system should still allow for users to be created without an expiry time, which then denotes a permanent user that can only be deleted by an administrator.&lt;br /&gt;
The current structure of the user entity is:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;{&lt;br /&gt;
    &amp;quot;user&amp;quot;: { &lt;br /&gt;
        &amp;quot;default_project_id&amp;quot;: &amp;quot;263fd9&amp;quot;,        &lt;br /&gt;
        &amp;quot;domain_id&amp;quot;: &amp;quot;1789d1&amp;quot;,         &lt;br /&gt;
        &amp;quot;email&amp;quot;: &amp;quot;joe@example.com&amp;quot;,        &lt;br /&gt;
        &amp;quot;enabled&amp;quot;: true,         &lt;br /&gt;
        &amp;quot;id&amp;quot;: &amp;quot;0ca8f6&amp;quot;,         &lt;br /&gt;
        &amp;quot;links&amp;quot;: {             &lt;br /&gt;
            &amp;quot;self&amp;quot;: &amp;quot;http://identity:35357/v3/users/0ca8f6&amp;quot;         &lt;br /&gt;
        },         &lt;br /&gt;
        &amp;quot;name&amp;quot;: &amp;quot;Joe&amp;quot;     &lt;br /&gt;
    }&lt;br /&gt;
}&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
The proposed new structure of the user entry is:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;{     &lt;br /&gt;
    &amp;quot;user&amp;quot;: {         &lt;br /&gt;
        &amp;quot;default_project_id&amp;quot;: &amp;quot;263fd9&amp;quot;,        &lt;br /&gt;
        &amp;quot;domain_id&amp;quot;: &amp;quot;1789d1&amp;quot;,         &lt;br /&gt;
        &amp;quot;email&amp;quot;: &amp;quot;joe@example.com&amp;quot;,        &lt;br /&gt;
        &amp;quot;enabled&amp;quot;: true,         &lt;br /&gt;
        &amp;quot;id&amp;quot;: &amp;quot;0ca8f6&amp;quot;,         &lt;br /&gt;
        &amp;quot;links&amp;quot;: {             &lt;br /&gt;
            &amp;quot;self&amp;quot;: &amp;quot;http://identity:35357/v3/users/0ca8f6&amp;quot;         &lt;br /&gt;
        },         &lt;br /&gt;
        &amp;quot;name&amp;quot;: &amp;quot;Joe&amp;quot;  &lt;br /&gt;
        “expiry_time”: “2013-05-27T18:30:59.999999Z”&lt;br /&gt;
    }&lt;br /&gt;
}&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Handling token expiry ====&lt;br /&gt;
When a system can create both temporary and permanent users, because tokens are time limited, then it is important that a token cannot be issued which exceeds the expiry time of the user it is linked to. Therefore in order to support the addition of temporary users, the code that sets token validity should be changed so as to limit it to no later than the user expiry time.&lt;br /&gt;
==== API changes ====&lt;br /&gt;
The following API changes are needed&lt;br /&gt;
#Addition of expiry time as an optional parameter to the call that creates a new user entry&lt;br /&gt;
#Addition of a new API call to delete all expired user entries&lt;br /&gt;
These will be made to the API documentation&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22904</id>
		<title>Keystone/TempUserProvisioning/Blueprint</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22904"/>
				<updated>2013-05-17T12:56:59Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;=== Temporary User Provisioning in Keystone ===&lt;br /&gt;
There are many instances in which it might be beneficial to be able to create temporary user entries in Keystone. For example, guest accounts and fixed term contract employees, support for short term alliances such as Virtual Organisation, or autoprovisioning of federated users. We propose adding an expiry time to user entities, and to support this, a function to delete all expired entries. In order to support backwards compatibility, the system should still allow for users to be created without an expiry time, which then denotes a permanent user that can only be deleted by an administrator.&lt;br /&gt;
The current structure of the user entity is:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;{&lt;br /&gt;
    &amp;quot;user&amp;quot;: { &lt;br /&gt;
        &amp;quot;default_project_id&amp;quot;: &amp;quot;263fd9&amp;quot;,        &lt;br /&gt;
        &amp;quot;domain_id&amp;quot;: &amp;quot;1789d1&amp;quot;,         &lt;br /&gt;
        &amp;quot;email&amp;quot;: &amp;quot;joe@example.com&amp;quot;,        &lt;br /&gt;
        &amp;quot;enabled&amp;quot;: true,         &lt;br /&gt;
        &amp;quot;id&amp;quot;: &amp;quot;0ca8f6&amp;quot;,         &lt;br /&gt;
        &amp;quot;links&amp;quot;: {             &lt;br /&gt;
            &amp;quot;self&amp;quot;: &amp;quot;http://identity:35357/v3/users/0ca8f6&amp;quot;         &lt;br /&gt;
        },         &lt;br /&gt;
        &amp;quot;name&amp;quot;: &amp;quot;Joe&amp;quot;     &lt;br /&gt;
    }&lt;br /&gt;
}&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
The proposed new structure of the user entry is:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;{     &lt;br /&gt;
    &amp;quot;user&amp;quot;: {         &lt;br /&gt;
        &amp;quot;default_project_id&amp;quot;: &amp;quot;263fd9&amp;quot;,        &lt;br /&gt;
        &amp;quot;domain_id&amp;quot;: &amp;quot;1789d1&amp;quot;,         &lt;br /&gt;
        &amp;quot;email&amp;quot;: &amp;quot;joe@example.com&amp;quot;,        &lt;br /&gt;
        &amp;quot;enabled&amp;quot;: true,         &lt;br /&gt;
        &amp;quot;id&amp;quot;: &amp;quot;0ca8f6&amp;quot;,         &lt;br /&gt;
        &amp;quot;links&amp;quot;: {             &lt;br /&gt;
            &amp;quot;self&amp;quot;: &amp;quot;http://identity:35357/v3/users/0ca8f6&amp;quot;         &lt;br /&gt;
        },         &lt;br /&gt;
        &amp;quot;name&amp;quot;: &amp;quot;Joe&amp;quot;  &lt;br /&gt;
        “expiry_time”: “2013-05-27T18:30:59.999999Z”&lt;br /&gt;
    }&lt;br /&gt;
}&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Handling token expiry ====&lt;br /&gt;
When a system can create both temporary and permanent users, because tokens are time limited, then it is important that a token cannot be issued which exceeds the expiry time of the user it is linked to. Therefore in order to support the addition of temporary users, the code that sets token validity should be changed so as to limit it to no later than the user expiry time.&lt;br /&gt;
==== API changes ====&lt;br /&gt;
The following API changes are needed&lt;br /&gt;
#Addition of expiry time as an optional parameter to the call that creates a new user entry&lt;br /&gt;
# Addition of user ID as an optional parameter to the call that creates a new user entry.&lt;br /&gt;
#Addition of a new API call to delete all expired user entries&lt;br /&gt;
These will be made to the API documentation&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22795</id>
		<title>Keystone/TempUserProvisioning/Blueprint</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/TempUserProvisioning/Blueprint&amp;diff=22795"/>
				<updated>2013-05-16T15:26:55Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: Created page with &amp;quot;=== Temporary User Provisioning in Keystone === There are many instances in which it might be beneficial to be able to create temporary user entries in Keystone. For example, ...&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;=== Temporary User Provisioning in Keystone ===&lt;br /&gt;
There are many instances in which it might be beneficial to be able to create temporary user entries in Keystone. For example, guest accounts and fixed term contract employees, support for short term alliances such as Virtual Organisation, or autoprovisioning of federated users. We propose adding an expiry time to user entities, and to support this, a function to delete all expired entries. In order to support backwards compatibility, the system should still allow for users to be created without an expiry time, which then denotes a permanent user that can only be deleted by an administrator.&lt;br /&gt;
The current structure of the user entity is:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;{&lt;br /&gt;
    &amp;quot;user&amp;quot;: { &lt;br /&gt;
        &amp;quot;default_project_id&amp;quot;: &amp;quot;263fd9&amp;quot;,        &lt;br /&gt;
        &amp;quot;domain_id&amp;quot;: &amp;quot;1789d1&amp;quot;,         &lt;br /&gt;
        &amp;quot;email&amp;quot;: &amp;quot;joe@example.com&amp;quot;,        &lt;br /&gt;
        &amp;quot;enabled&amp;quot;: true,         &lt;br /&gt;
        &amp;quot;id&amp;quot;: &amp;quot;0ca8f6&amp;quot;,         &lt;br /&gt;
        &amp;quot;links&amp;quot;: {             &lt;br /&gt;
            &amp;quot;self&amp;quot;: &amp;quot;http://identity:35357/v3/users/0ca8f6&amp;quot;         &lt;br /&gt;
        },         &lt;br /&gt;
        &amp;quot;name&amp;quot;: &amp;quot;Joe&amp;quot;     &lt;br /&gt;
    }&lt;br /&gt;
}&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
The proposed new structure of the user entry is:&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;lt;nowiki&amp;gt;{     &lt;br /&gt;
    &amp;quot;user&amp;quot;: {         &lt;br /&gt;
        &amp;quot;default_project_id&amp;quot;: &amp;quot;263fd9&amp;quot;,        &lt;br /&gt;
        &amp;quot;domain_id&amp;quot;: &amp;quot;1789d1&amp;quot;,         &lt;br /&gt;
        &amp;quot;email&amp;quot;: &amp;quot;joe@example.com&amp;quot;,        &lt;br /&gt;
        &amp;quot;enabled&amp;quot;: true,         &lt;br /&gt;
        &amp;quot;id&amp;quot;: &amp;quot;0ca8f6&amp;quot;,         &lt;br /&gt;
        &amp;quot;links&amp;quot;: {             &lt;br /&gt;
            &amp;quot;self&amp;quot;: &amp;quot;http://identity:35357/v3/users/0ca8f6&amp;quot;         &lt;br /&gt;
        },         &lt;br /&gt;
        &amp;quot;name&amp;quot;: &amp;quot;Joe&amp;quot;  &lt;br /&gt;
        “expiry_time”: “2013-05-27T18:30:59.999999Z”&lt;br /&gt;
    }&lt;br /&gt;
}&amp;lt;/nowiki&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== Handling token expiry ====&lt;br /&gt;
When a system can create both temporary and permanent users, because tokens are time limited, then it is important that a token cannot be issued which exceeds the expiry time of the user it is linked to. Therefore in order to support the addition of temporary users, the code that sets token validity should be changed so as to limit it to no later than the user expiry time.&lt;br /&gt;
==== Specifying User IDs ====&lt;br /&gt;
In order to maintain functionality for temporary users on systems which user User IDs in access control lists we have modified the user creation process to allow a user ID to passed in with the user entity, if this parameter is present, it will be used instead of the standard randomly generated ID.&lt;br /&gt;
==== API changes ====&lt;br /&gt;
The following API changes are needed&lt;br /&gt;
#Addition of expiry time as an optional parameter to the call that creates a new user entry&lt;br /&gt;
# Addition of user ID as an optional parameter to the call that creates a new user entry.&lt;br /&gt;
#Addition of a new API call to delete all expired user entries&lt;br /&gt;
These will be made to the API documentation&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/Federation/TempUserCreation/Blueprint&amp;diff=20840</id>
		<title>Keystone/Federation/TempUserCreation/Blueprint</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/Federation/TempUserCreation/Blueprint&amp;diff=20840"/>
				<updated>2013-04-19T11:49:12Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: /* 3.2 Assigning Authz Attributes to Users according to Attribute Mappings */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Temporary User Creation in a Federated Keystone ==&lt;br /&gt;
Version 1.2. 11 April 2013&lt;br /&gt;
=== 1.	Introduction ===&lt;br /&gt;
In a standard centrally managed Keystone environment users are managed by an administrator of the Keystone service and are created manually via the Keystone [http://docs.openstack.org/api/openstack-identity-service/2.0/content/Overview-Keystone-API-d1e62.html REST API]. However, in a federated environment, the Keystone Identity service for Openstack Cloud services does not have access to the available users as the external Identity Provider(s) (IdPs) manage them. Therefore, in order to achieve a fully federated Keystone installation it is necessary to implement a mechanism for automatically creating the internal Keystone user entries after external IdPs successfully authenticate the users. After authentication, external IdPs provide Keystone with a set of identity attributes for the user e.g. as a SAML assertion. An [http://blueprints.launchpad.net/keystone/+spec/role-mapping-service-keystone attribute mapping service] allows Keystone to assign the correct privileges to these users (as roles, projects, domains etc. collectively called the authz attributes in this document) according to the identity attributes provided by the external IdP. This document describes the design and workflow of such a mechanism. It is based on creating a temporary user in Keystone, whose lifespan is based on that of the IdP’s identity assertion.&lt;br /&gt;
=== 2.	Initial Assumptions ===&lt;br /&gt;
We assume that user authentication against an external IdP is available, such as that described in the [http://wiki.openstack.org/Keystone/Federation/Blueprint federation blueprint], and that after authentication Keystone is provided with an assertion by the IdP that contains the following information:&lt;br /&gt;
* 	Some sort of unique user name or identifier (UNUNID) that uniquely identifies the subject of the assertion. The type and location of this data in the IdP’s assertion will be federation protocol specific (the type might be configured as extra data in the Service Catalog service endpoint entry of the authenticating IdP). It might be the same or different for the same user in different assertions (note that it could be a random number but in this case the user ID cannot be used to authorize the user in service ACLs). The protocol specific code will handle extraction of this identifier and return its value. It will be used by Keystone to uniquely identify the user.&lt;br /&gt;
* 	A set of type and value paired identity attributes which will be used to authorize the authenticated user. This set should be consistent and repeatable in multiple assertions.&lt;br /&gt;
* 	A date which defines the maximum validity time of the assertion.&lt;br /&gt;
We also assume that IdPs are stored in the existing Keystone Service Catalog as described in [https://blueprints.launchpad.net/keystone/+spec/adding-idps-to-service-catalog here]. The final assumption is that for ease of implementation, higher level utility APIs are available for retrieving a user’s authz attributes using a single API call with a parameter of a list of identity attributes as described [https://blueprints.launchpad.net/keystone/+spec/mapping-distributed-admin here].&lt;br /&gt;
Because a temporary user entry is created in Keystone’s database, this means that the UUID returned by Keystone on entry creation would normally be different each time the same federated user accesses OpenStack, so that the UUID could not be used in access control lists. This problem is addressed [https://blueprints.launchpad.net/keystone/+spec/acls-userids-federation here].&lt;br /&gt;
=== 3. FIM Controller ===&lt;br /&gt;
In this design document, the FIM Controller is the module responsible for orchestrating the validation of the IdP’s assertion and creating the temporary user entry in Keystone’s databases. (In the implementation the FIM Controller is the federated.FederatedAuthentication module.)&lt;br /&gt;
==== 3.1 Identifying Users ====&lt;br /&gt;
The first stage in this mechanism is to identify the user and to create a temporary user entry within Keystone, which is valid only for the current session. In order to minimize the redundancy of data stored in the Keystone backend, a validity time should be stored alongside each temporary user entry. At each call of the FIM controller’s user creation module, the stored temporary users should be queried and any expired users deleted. In order to maintain current functionality a blank value for validity time will denote a permanent user.&lt;br /&gt;
&lt;br /&gt;
Each federation protocol has its own specific credential validation service (usually a module with the name of the protocol) that validates the IdP’s assertion and returns three parameters: the UNUNID, the set of identity attributes, and the validity time.&lt;br /&gt;
&lt;br /&gt;
The UNUNID is extracted from the returned values and is used as the username for this temporary user entry; its value is not important and is just used by services managed by Keystone to retrieve the user’s authz attributes (role, project and domain assignment information) during authorization. Note that we have modified the Keystone code that issues tokens to ensure that the token’s validity time does not exceed that of the temporary user entry. &lt;br /&gt;
&lt;br /&gt;
The workflow for temporary user entry creation is as follows:&lt;br /&gt;
# Call the protocol specific module to validate the IdP’s assertion in a protocol specific way.&lt;br /&gt;
# It returns the UNUNID, identity attributes and validity time from the assertion.&lt;br /&gt;
# Call the user management module. If a user entry with the UNUNID already exists, then update the validity time to match the latest value, else create a new temporary user entry with a name and UUID created from the UNUNID and a validity time of the returned value. The UNUNID is hashed using SHA1 to create a 20 byte string, then converted into a 40 hexadecimal string.&lt;br /&gt;
# In order to create a user entry a password is required. Also the Token API requires that both the username and password are presented for token creation. Consequently, a strong random password is generated during initialization of the Keystone server, and held in memory (only). This is then used for all the temporary users’ passwords. The password is generated as follows: a randomly generated number of size 128 bits is created, concatenated with the current system timestamp in milliseconds, reduced to 20 bytes by using the SHA1 algorithm, then base 64 encoded to produce a 28 character password.  This is stored in memory and is lost when the system is stopped. It is important to note that any existing tokens created using the federated middleware will be invalidated at restart time if the user authenticates again, as a new password will have been created. It is a built in mechanism of Keystone user management to invalidate existing tokens when a user’s password is changed.&lt;br /&gt;
# It returns the new user details. The username and password will subsequently be used to authenticate on behalf of the federated user and retrieve an unscoped token after attribute mapping has been performed.&lt;br /&gt;
&lt;br /&gt;
==== 3.2 Assigning Authz Attributes to Users according to Attribute Mappings ====&lt;br /&gt;
The second stage is to perform the attribute mapping in order to add the user’s authz attributes to the user’s entry. For each attribute mapping that matches a subset of the user’s identity attributes, a set of authz attributes is returned. Each authz attribute set is assigned to the user independently of the other matched sets.  There are currently three types of authz attributes in the Openstack service: Roles, Projects and Domains. There are no constraints in the attribute mapping code as to the mapping of these authz attributes from identity attributes, even if some of the mappings may not give the user any OpenStack privileges. However, mappings which do not conform to the current limitations in Keystone will necessarily have to be ignored by the FIM Controller (for now anyway, until the restrictions in Keystone are removed).&lt;br /&gt;
&lt;br /&gt;
Roles alone are currently meaningless in Keystone for authz purposes and must be assigned on a project. There is currently no mechanism for assigning roles to users without the context of a project. This means an authz attribute set containing only OpenStack roles will grant no privileges to the user, and consequently will be ignored by the FIM Controller. Projects alone can be assigned to users, though whether they grant any privileges or not will be determined by the service. These will not be ignored by the FIM Controller.&lt;br /&gt;
&lt;br /&gt;
Both roles and projects are domain specific in the V3 API. However, the concept of a default domain is available and as such, a set containing only roles and projects, or projects alone, will be assigned to the user under this default domain (automatically by the existing Keystone code).&lt;br /&gt;
&lt;br /&gt;
With these constraints in mind, authz attribute assignment within an authz attribute set should conform to the following rules:&lt;br /&gt;
* A set comprising roles, projects and domains: each role should be assigned to the user on each project under each domain;&lt;br /&gt;
* A set comprising roles and projects only: each role should be assigned to the user on each project under the default domain;&lt;br /&gt;
* A set comprising projects and domains is ignored;&lt;br /&gt;
* A set containing only projects is ignored;&lt;br /&gt;
* A set containing only roles is ignored;&lt;br /&gt;
* A set containing only domains is ignored.&lt;br /&gt;
&lt;br /&gt;
With these rules in mind, the following workflow should be followed:&lt;br /&gt;
&lt;br /&gt;
# Retrieve all the existing authz attributes assigned to the user (oldAuthz list). For a new user the list will be empty, but for a returning user it will contain those mapped from his previous identity attributes.&lt;br /&gt;
#For each authz attribute set:&lt;br /&gt;
## If the set contains 1 or more domains:&lt;br /&gt;
###	For each domain (D) in the set&lt;br /&gt;
####        For each role (R) in the set&lt;br /&gt;
#####        Assign role (R) under domain (D)&lt;br /&gt;
#####        Remove from oldAuthz list (if present).&lt;br /&gt;
##	For each project (P) in the set&lt;br /&gt;
###  If set contains 1 or more domains AND project's domain does not match any of these domains:&lt;br /&gt;
#### Skip this project&lt;br /&gt;
### Else:&lt;br /&gt;
####	For each role (R) in the set&lt;br /&gt;
#####	Assign role (R) to user under project (P).  &lt;br /&gt;
#####      Remove from oldAuthz list (if present).&lt;br /&gt;
# Any attributes remaining in the oldAuthz set are no longer valid so remove them.&lt;br /&gt;
&lt;br /&gt;
===== Examples =====&lt;br /&gt;
The examples assume an environment with three mappings set up in Keystone as follows.&lt;br /&gt;
&lt;br /&gt;
'''Mapping 1'''&lt;br /&gt;
&lt;br /&gt;
Identity Attributes:  accountType=Staff&lt;br /&gt;
&lt;br /&gt;
Authz Attributes: role=Admin, role = User, project=myProject&lt;br /&gt;
&lt;br /&gt;
'''Mapping 2'''&lt;br /&gt;
&lt;br /&gt;
Identity Attributes: organization=University of Kent&lt;br /&gt;
&lt;br /&gt;
Authz Attributes: role=Member, project=myProject, domain=Kent&lt;br /&gt;
&lt;br /&gt;
'''Mapping 3'''&lt;br /&gt;
&lt;br /&gt;
Identity Attributes: organization=University of Kent, department=Computing&lt;br /&gt;
&lt;br /&gt;
Authz Attributes: role=developer, project=computingProject,	domain=KentComputing&lt;br /&gt;
&lt;br /&gt;
===== Example 1 =====&lt;br /&gt;
User Identity Attributes:	accountType=Staff, 	organization=University of Kent&lt;br /&gt;
&lt;br /&gt;
Returned Authz Attribute Sets: {role : Admin, User;  project : myProject},  {role : Member,  project : myProject, domain : Kent}&lt;br /&gt;
&lt;br /&gt;
Resulting Assignments:&lt;br /&gt;
* User is assigned role: Admin on project: myProject under default domain&lt;br /&gt;
* User is assigned role: User on project: myProject under default domain&lt;br /&gt;
* User is assigned role: Member on project: myProject under domain: Kent&lt;br /&gt;
===== Example 2 =====&lt;br /&gt;
User Identity Attributes:	accountType=Student,	organization=University of Kent&lt;br /&gt;
&lt;br /&gt;
Returned Authz Attribute Sets: {role : Member,  project : myProject, domain : Kent}&lt;br /&gt;
&lt;br /&gt;
Resulting Assignments:&lt;br /&gt;
* User is assigned role: Member on project: myProject under domain: Kent&lt;br /&gt;
&lt;br /&gt;
===== Example 3 =====&lt;br /&gt;
User Identity Attributes:	department=Computing,	organization=University of Kent&lt;br /&gt;
&lt;br /&gt;
Returned Authz Attribute Sets: {role : developer,  project : computingProject, domain : KentComputing}, {role : Member,  project : myProject, domain : Kent}&lt;br /&gt;
&lt;br /&gt;
Resulting Assignments:&lt;br /&gt;
* User is assigned role: Member on project: myProject under domain: Kent&lt;br /&gt;
* User is assigned role: developer on project: computingProject under domain: KentComputing&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/Federation/UserIDsInACLs&amp;diff=20449</id>
		<title>Keystone/Federation/UserIDsInACLs</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/Federation/UserIDsInACLs&amp;diff=20449"/>
				<updated>2013-04-12T10:43:06Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Handling ACLs that use UserIDs in Federated Keystone ==&lt;br /&gt;
 &amp;lt;nowiki&amp;gt;Version 0.5                                  11 April 2013&lt;br /&gt;
Authors: David Chadwick and Kristy Siu &amp;lt;/nowiki&amp;gt;&lt;br /&gt;
&lt;br /&gt;
'''Note''' Not all cloud services use ACLs and UserIDs. Those services that use roles for authorisation are not affected by the issue specified in this blueprint.&lt;br /&gt;
&lt;br /&gt;
=== Introduction ===&lt;br /&gt;
Federated Keystone does not store permanent user entries for users who authenticate via external Identity Providers (IdPs). Instead [https://blueprints.launchpad.net/keystone/+spec/temp-user-creation temporary user entries are created] for the duration of the validity time of the assertion issued by the Identity Provider. In this way, there are no Keystone administration costs associated with managing user entries. User management and provisioning is done by the IdPs. The Keystone federation code creates temporary entries on user login and automatically deletes them when they have expired. (Note that permanent entries can still be created by omitting the validity time when the entry is created.)&lt;br /&gt;
=== Problem Statement ===&lt;br /&gt;
A consequence of this is that the same user, with the same set of identity attributes, will have new temporary user entries created each time he logs into OpenStack (unless the existing temporary entry has not expired). Each temporary entry will have a new user_id assigned to it. So the existing user_id for federated users can no longer be used in service ACLs, as the user’s user_id will change every time he logs in. For example, in Swift, container ACLs can hold user_ids  in one of three forms: (A) tenant_name:user_id, (B) tenant_id:user_id and (C) *:user_id.&lt;br /&gt;
=== Proposed Solution ===&lt;br /&gt;
The solution should not affect existing cloud service providers, and they should not have to change their code, so that adding federation to Keystone is backwards compatible to the non-federated use of Keystone.&lt;br /&gt;
It is the case that users often still have unique identifiers assigned to them by IdPs. These typically come in two forms: identity attributes that are globally unique, such as email address, and persistent Ids (PIds) issued by the IdP to identify the subject of the assertion to the SP. This blueprint places no requirements on IdPs other than that they should issue one of these unique identifiers if the cloud service uses user-ids in its ACLs.&lt;br /&gt;
&lt;br /&gt;
If a cloud service wishes to use federated identities, and also wishes to use user_ids in ACL, then the following solution is proposed:&lt;br /&gt;
&lt;br /&gt;
# 	The IdP must issue the user with an identifier whose value is unique throughout the entire federation. We will call this attribute X (it could be an email address or a PId or any other attribute with the required uniqueness property). &lt;br /&gt;
# 	The protocol specific credential validation code must ensure that attribute X is present in the set of identity attributes that are returned to the Keystone federation controller code. &lt;br /&gt;
# 	The service catalog entry for the IdP may record the name of this attribute in the identifier_attribute parameter e.g. identifier_attribute=attributeX if this is appropriate for the protocol used by the IdP. In cases where the protocol always returns the same unique identifying attribute (e.g. Google IdP always uses OpenID as the unique attribute) then this can be handled by protocol specific code. &lt;br /&gt;
# 	The federation code (FIM Core) that creates temporary user entries will use the value of the identifier attribute as the basis for the value of the user_id when the entry is created. Because the value of this attribute could be arbitrarily long, the FIM Controller will SHA1 hash the attribute value (-&amp;gt; 20 bytes) then convert it to 28 base64 characters.  &lt;br /&gt;
# 	The Keystone code will be modified so that if the value of the user_id is passed on user creation, it will be used, otherwise the code will behave as before and automatically create a new value.&lt;br /&gt;
&lt;br /&gt;
In this way, the cloud service provider is not impacted by the use of federated identities, and is unaware that anything has changed (except that the value of the user_id attribute may be significantly different than before, and could contain a much wider character set, although if the value is converted and stored in hex (using uuid4().hex) then the service will not see any difference at all).&lt;br /&gt;
=== Creating ACLs – The Who Am I? Service ===&lt;br /&gt;
Since the temporary user entry probably won’t exist when the service wants to create the ACL, then there must be a way for the service provider to get the user’s user_id. The following is proposed&lt;br /&gt;
# 	A new Keystone service request/response (the Who Am I? service) will be provided which will allow the user to find out all of his attributes (both IdP provided and Keystone provided).&lt;br /&gt;
# 	The user will enter the two command line parameters –F and -? (F for federated, ? for who am I?)&lt;br /&gt;
# 	The API call will contain the headers X-Authentication-Type: federated and X-Request-Type:WhoAmI&lt;br /&gt;
# 	The FIM Controller will trap this request, and after it has created the temporary user entry and performed the attribute mapping, it will return the set of identity attributes and the unique identifier value issued by the IdP and the Keystone temporary entry that has been created (user name, user id, project, roles etc.)&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Keystone/Federation/Blueprint&amp;diff=18325</id>
		<title>Keystone/Federation/Blueprint</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Keystone/Federation/Blueprint&amp;diff=18325"/>
				<updated>2013-02-25T12:02:21Z</updated>
		
		<summary type="html">&lt;p&gt;Kwss: /* Implementation Status */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&lt;br /&gt;
= Federated Keystone =&lt;br /&gt;
Providing Federated Access to OpenStack Clouds&lt;br /&gt;
&lt;br /&gt;
Version: 1.2            Author: David W Chadwick                  Date: 22 February 2013&lt;br /&gt;
&lt;br /&gt;
__TOC__&lt;br /&gt;
== Overview ==&lt;br /&gt;
The overall idea is that Keystone will no longer be the only identity service for OpenStack services, but instead, there will be a wide range of identity services distributed around the Internet, called Identity Providers (IdPs). The advantages of using external identity providers are numerous, and include:&lt;br /&gt;
&lt;br /&gt;
* there is no longer any need to provision user entries in Keystone, since the user entries already exist in the IdP's databases.&lt;br /&gt;
* there  is no need to build additional authentication mechanisms into Keystone, since the IdPs take care of authenticating their own users using whichever technologies they deem to be appropriate. So multiple authentication technologies are already in use.&lt;br /&gt;
* there is no need to support users who forget their passwords. The IdPs already do this.&lt;br /&gt;
* multiple collaborating organisations can quickly share the same cloud services by each one using their own local IdP to authenticate their users.&lt;br /&gt;
* it provides single sign on to the user, who can use the same set of credentials with his IdP to access many different services on the Internet.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The way it works is this. The user contacts Federated Keystone, which presents the user with the list of trusted IdPs. The user chooses his IdP from this list, and his client is redirected to it. The user then directly authenticates with his own IdP. Assuming the authentication is successful, the IdP returns an authentication and authorisation token to Keystone, which validates it, then swaps it for the normal unscoped and scoped Keystone tokens which allow the user to access the OpenStack services.&lt;br /&gt;
&lt;br /&gt;
== Guiding Principles ==&lt;br /&gt;
# Each cloud service keeps it existing tenants/projects and roles for authz, and passes the bulk of the work off to Federated Keystone to do the heavy lifting (i.e. interacting with the Identity Providers, validating the various credentials, mapping the attributes into the ones understood by the service etc.).&lt;br /&gt;
# There can be thousands of Identity Providers/Attribute Authoritys with millions of different attributes. It would be too complex for Cloud Service Providers (CSPs) to have to create authz policies based on these. Consequently each Cloud Service Provider has its own limited set of attributes and roles, and only trusts Keystone to issue them. It trusts Keystone to map between the externally provided attributes and the internally understood ones. (In fact the CSPs are unaware of whether Keystone is federated or not.) Federated Keystone is the only known (and trusted) Identity Provider to the Cloud Service Providers. In the non-federated world the architecture degenerates to the current Keystone implementation.&lt;br /&gt;
# Consequently, all Identity Provider/Attribute Authority issued attributes/roles must be globally identifiable, either via their unique name/type (e.g. a URN) or via the name of their issuer (DNS name) and their local name (see Appendix 2).&lt;br /&gt;
# Federated Keystone has a set of trust relationships with a set of external Identity Providers, Authentication Services and Attribute Authoritys. The Keystone administrator enters these trusted entities into (an enhanced) Keystone Service Catalog. The Attribute Mapper of Federated Keystone knows how attributes from these external entities map into the local attributes known by the Cloud Service Providers. This information may be configured into the Keystone administrator, or he may delegate this task to trusted administrators from the Identity Providers (see Blueprint https://blueprints.launchpad.net/keystone/+spec/mapping-distributed-admin).&lt;br /&gt;
# Since external Identity Providers hold all the identity details of the users in their own databases, there is little point in Keystone duplicating this information. Consequently there is no longer any requirement to add users to Keystone's database. Instead, when a federated user contacts Keystone, a temporary entry is automatically created for him by the federation software, and this is only valid for the duration of the user's IdP generated token. When the entry times out, the entry is automatically deleted by the federation software. A consequence of this is that Cloud Service Providers should no longer use Keystone generated User IDs in their access control lists, but instead should use a persistent identity attribute of the user, such as his email address or the PID created by SAML IdPs.&lt;br /&gt;
# Most existing authentication systems rely on usernames and passwords. We have to live with that. Consequently all existing federated authn systems are open to phishing attacks, whereby an evil SP redirects the user to a fake Identity Provider which then captures the user’s un/pw. In the current design the simple client is open to such attacks, whereas the intelligent client (Attribute Aggregator) is not. With the intelligent client, after the user decides which attributes and issuers to use, the Attribute Aggregator performs a directory lookup in the enhanced service catalog to find the issuer in order to obtain its metadata and make a direct request to it. In this case the user cannot be re-directed to a fake issuer by an evil SP and have his password stolen.&lt;br /&gt;
# The user knows which cloud service he wishes to use, so ideally this should be his first port of call (and not Keystone or some external IdP). But given that the existing mode of operation is to contact Keystone first, then we keep this in the first implementation.&lt;br /&gt;
&lt;br /&gt;
== Single Identity Provider, Simple Client ==&lt;br /&gt;
In this mode of operation, the user has a simple client and trusts Federated Keystone (FK) to behave correctly. A single IdP authenticates the user and provides all the user's authorisation attributes to FK.&lt;br /&gt;
&lt;br /&gt;
The downside of a simple client is that it is open to phishing attacks from evil Keystones, which redirect the client to a false IdP in step 10.However, the phishing can be nullified if the IdP uses a zero proof authentication mechanism, since in this case no secrets will be revealed by the simple client. Alternatively the intelligent client ([[AtAg]]) can be used.&lt;br /&gt;
&lt;br /&gt;
The swimlanes that pictorially show this protocol flow are available from dropbox [http://dl.dropbox.com/u/44986510/SwinLaneSimpleClient.pdf SwinLane Simple Client]&lt;br /&gt;
&lt;br /&gt;
# The user launches his federated client &lt;br /&gt;
# The client contacts federated Keystone (FK)&lt;br /&gt;
# FK retrieves the set of trusted Identity Providers from the directory service (enhanced service catalog)&lt;br /&gt;
# FK sends the set of Identity Providers to the client in response to message 2.&lt;br /&gt;
# The user chooses which Identity Provider he wishes to use&lt;br /&gt;
# The client returns the chosen Identity Provider to FK.&lt;br /&gt;
# FK performs a directory lookup on this Identity Provider, and obtains its metadata&lt;br /&gt;
# FK then calls the Request Issuing Service to create an authentication and attribute request in the appropriate format for the chosen Identity Provider.&lt;br /&gt;
# FK returns the Identity Provider request message to the client, along with the address of the Identity Provider&lt;br /&gt;
# The client passes the request to the Identity Provider&lt;br /&gt;
# The Identity Provider asks the user to authenticate by its chosen method (out of scope of this proposal). It could be PKI based, Kerberos based, simple UN/PW, or OTP etc. How strongly the user is authenticated is reflected in the Level of Assurance (LoA) that is returned in the response (providing the protocol supports this).&lt;br /&gt;
# Having identified the user, the Identity Provider returns the authentication and attribute assertion to the client (as a binary blob)&lt;br /&gt;
# The client passes the Identity Provider’s response to FK.&lt;br /&gt;
# FK calls the Credential Validation Service (CVS) to validate the Identity Provider’s response &lt;br /&gt;
# The CVS calls the directory service to get the IdP's meta data in order to validate the response&lt;br /&gt;
# The CVS returns the user's valid attributes to FK&lt;br /&gt;
# FK calls the Attribute Mapping Service to obtain the local set of attributes that are equivalent to the Identity Provider provided set.&lt;br /&gt;
# FK calls the Token Issuing Service (TIS) to obtain an unscoped token for the user&lt;br /&gt;
# FK returns the unscoped token to the user, along with a list of tenants/projects available to the user&lt;br /&gt;
# The user choses which tenant/project he wishes to use&lt;br /&gt;
# The client passes the unscoped token and tenant/project to FK&lt;br /&gt;
# FK calls the token validation service (TVS) to validate the unscoped token&lt;br /&gt;
# FK then calls the TIS to issue a scoped token for the user&lt;br /&gt;
# FK returns the scoped token and list of cloud services at which this can be used to the client.&lt;br /&gt;
# The client contacts the Cloud Service Provider with the scoped token, requesting the service&lt;br /&gt;
# The Cloud Service Provider passes the scoped token to FK for validation&lt;br /&gt;
# FK contacts the TVS to validate the token and gets the response&lt;br /&gt;
# FK sends the reply to the Cloud Service Provider&lt;br /&gt;
# The Cloud Service Provider asks the PDP is the user is authorised for this request&lt;br /&gt;
# The Cloud Service Provider sends the response to the client&lt;br /&gt;
# The client makes additional requests to the Cloud Service Provider using the same scoped token, goto 25.&lt;br /&gt;
&lt;br /&gt;
=== Implementation Status ===&lt;br /&gt;
The simple client mode has now been fully implemented for both the Keystone V2 and V3 APIs, and several existing OpenStack clients have been enhanced to support federated access to Keystone. More enhanced clients are expected to follow in due course. &lt;br /&gt;
&lt;br /&gt;
The Keystone V2 implementation is available from [https://github.com/kwss/keystone.git here]&lt;br /&gt;
&lt;br /&gt;
Until Grizzly is officially released, the Keystone V3 implementation is only available directly from the authors at the University of Kent. Please email them to get your copy&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The Keystone V3 implementation implements the following blueprints&lt;br /&gt;
* Adding IdPs to an enhanced Keystone Service Catalog [https://blueprints.launchpad.net/keystone/+spec/adding-idps-to-service-catalog adding-idps-to-service-catalog] &lt;br /&gt;
* Mapping attributes from Identity Providers to internal OpenStack attributes [https://blueprints.launchpad.net/keystone/+spec/role-mapping-service-keystone role-mapping-service-keystone]&lt;br /&gt;
* Distributed Administration of the Attribute Mapping function [https://blueprints.launchpad.net/keystone/+spec/mapping-distributed-admin mapping-distributed-admin]&lt;br /&gt;
* Federating multiple Keystone services together [https://wiki.openstack.org/wiki/Keystone/Delegation Delegation of Keystone Servers]&lt;br /&gt;
&lt;br /&gt;
== Single Identity Provider, Intelligent Client ==&lt;br /&gt;
''NOTE. There is currently no plan to implement the Intelligent Client, so the following should be regarded as an approximate outline only, and it may contain errors.''&lt;br /&gt;
&lt;br /&gt;
This mode protects the client from phishing attacks by evil Keystones and other services since the intelligent client decides for itself how to contact the user’s Identity Provider. It therefore cannot be redirected to an evil CSP. The swimlane diagram for the Intelligent Client can be found here  [[attachment:SwimlaneIntelClient.pdf]]&lt;br /&gt;
&lt;br /&gt;
# The user types in his request to the client&lt;br /&gt;
# The user contacts the Cloud Service to request a service&lt;br /&gt;
# The Cloud Service Provider sends the client its attribute requirements policy (ARP) and the address of the Openstack Gateway to contact.&lt;br /&gt;
# The client passes the ARP to Openstack Gateway&lt;br /&gt;
# Openstack Gateway calls the Attribute Mapping Service to convert the ARP into one that contains the external attributes and Identity Providers that may be capable of fulfilling the policy.&lt;br /&gt;
# Openstack Gateway passes the set of external attributes and Identity Providers back to the client as an External Attributes Requirements Policy (EARP).&lt;br /&gt;
# The client passes the policy to its intelligent Attribute Aggregation component ([[AtAg]]) which filters the policy against the user’s attributes.&lt;br /&gt;
# Attribute Aggregator asks the user which of his possible attributes and Identity Providers he wants to use to access the Cloud Service Provider e.g. he may have several roles, credit cards, email addresses etc. and can choose between them. He may have several Identity Providers that can fulfil the policy. The user chooses his preferred Identity Provider and attributes.&lt;br /&gt;
# Attribute Aggregator contacts the Directory service, passing it the name of the user’s chosen Identity Provider, to find out the latest contact details (meta information) of it. Note. If Attribute Aggregator has this information configured into it, then this step can be omitted.&lt;br /&gt;
# Attribute Aggregator contacts the Request Issuing Service (RIS) to obtain a properly formatted Authn request in the correct protocol. It is returned a binary blob (the Identity Provider authentication and attribute request message). The attribute request contains the mapped set of attributes required by the cloud service. Note that the intelligent Attribute Aggregator may have the RIS as a built in service.&lt;br /&gt;
# Attribute Aggregator contacts the chosen Identity Provider, sending it the binary blob.&lt;br /&gt;
# The Identity Provider authenticates the user by its chosen method (out of scope of this proposal). It could be PKI based, Kerberos based, simple UN/PW, or OTP etc. How strongly the user is authenticated is reflected in the Level of Assurance (LoA) that is returned in the response (providing the protocol supports this).&lt;br /&gt;
# Having identified the user, the Identity Provider returns the authentication and attribute assertion to Attribute Aggregator (as a binary blob)&lt;br /&gt;
# Attribute Aggregator passes this response to the client&lt;br /&gt;
# The client passes the assertion to Openstack Gateway.&lt;br /&gt;
# Same as Single Identity Provider, Simple Client from now onwards&lt;br /&gt;
&lt;br /&gt;
== Mode of Operation with Holder of Key Verification ==&lt;br /&gt;
In both of the single Identity Provider modes the assertions returned by the client to federated Keystone are bearer credentials. Furthermore the tokens (scoped and unscoped) produced by Keystone are also bearer credentials. This means that federated Keystone cannot be certain that the credentials produced by the IdP actually belong to the client that is presenting them. Furthermore, the cloud service providers cannot be sure that the token presented by the user actually belongs to the user. Using holder of key verification, the client creates a new key pair for each session, and the Identity Provider inserts the public key into the assertions. The client can then prove to federated Keystone (by signing a message) that it has the private key that corresponds to the public key in the assertions, and therefore that the assertions belong to it. Similarly the client can prove to the cloud services that the token belongs to it, by signing a message to the cloud service. The protocol steps are the same as before, but the protocol messages are different as stated below.&lt;br /&gt;
&lt;br /&gt;
* For Single Identity Provider, Simple Client, the procedure is the same until step 11 when the client creates a new key pair for the user and includes the public key in the authentication exchange with the Identity Provider. In step 12 the Identity Provider includes the public key in the response that it creates for federated Keystone. In step 13 the client signs the message containing the Identity Provider’s response. This allows federated Keystone to prove, in step 14, that the client is the rightful owner of the Identity Provider’s response. In step 18 Keystone's token issuing service inserts the user's public key into the token, and in step 21 the client signs the request message to Keystone, which validates it in step 22. This process is repeated again in steps 23 to 27, so that now the cloud service provider can validate that the client is the rightful owner of the token.&lt;br /&gt;
Note that the whole token model and structure that Keystone currently uses needs enhancing to overcome its current multiple limitations (replayable, copyable, escalation of privileges etc.) but this is outside the scope of the current blueprint.&lt;br /&gt;
&lt;br /&gt;
* ''Note that this text has not been corrected''. For Single Identity Provider, Intelligent Client, the procedure is the same until step 11 when Attribute Aggregator creates a new key pair for the user, and includes the public key in the user’s authentication exchange with the Identity Provider. In step 12 the Identity Provider includes the public key in the response that it creates for the Openstack Gateway. In step 13 Attribute Aggregator passes the new key pair back to the client along with the Identity Provider’s response. In step 14 the client signs the message containing the Identity Provider’s response with its private key. This allows Openstack Gateway to prove that the client is the rightful owner of the Identity Provider’s response.&lt;br /&gt;
&lt;br /&gt;
== Mode of Operation using an Authentication Service and Attribute Authority ==&lt;br /&gt;
''NOTE. There is currently no plan to implement a separate Authentication Service and Attribute Authority, so the following should be regarded as an approximate outline only, and it may contain errors.''&lt;br /&gt;
&lt;br /&gt;
In this mode of operation the attribute authority uses an external authentication service to authenticate clients who want to retrieve attributes from it. Attribute Authorities work in the following way. An unknown user contacts the Attribute Authority for a service, and the Attribute Authority redirects the user to one of its trusted Authentication Services (or Identity Providers). The user must already have a relationship with one of these trusted authentication services. The user authenticates to the Authentication Service (or Identity Provider) and the Authentication Service returns to the Attribute Authority an authentication assertion containing a persistent ID (PID). From now on, the Attribute Authority will know this user as PID issued by Authentication Service. The user pays the Attribute Authority for the service and the Attribute Authority issues the user with an attribute, which it stores permanently in its database along with the user’s ID (PID@AS). Whenever the user wishes to retrieve its attribute, it must contact the Attribute Authority, be redirected to the same Authentication Service (or Identity Provider), authenticate, and then the Attribute Authority can validate the identity of the user (PID@AS) and issue it with an attribute assertion, or possibly with an authentication and attribute assertion (depending upon whether the Attribute Authority is willing to underwrite the authentication performed by the Authentication Service. Clearly it is to some extent, otherwise it would not issue the attribute assertion. See also Appendix 1). The user ID in the attribute (and authentication) assertion may be a random ID, the same PID as that issued by the Authentication Service, or a different PID generated by the Attribute Authority (in which case the Attribute Authority will need to keep the PID mappings). The user should be able to choose which type of ID it requires in the attribute assertion.&lt;br /&gt;
&lt;br /&gt;
The swimlanes for this protocol flow can be found here [[attachment:SwimlaneAA+AS.pdf]]&lt;br /&gt;
&lt;br /&gt;
# The user contacts the Cloud Service to request a service&lt;br /&gt;
# The Cloud Service Provider sends the client its attribute requirements policy (ARP) and the address of the Openstack Gateway to contact.&lt;br /&gt;
# The client passes the ARP to Openstack Gateway&lt;br /&gt;
# Openstack Gateway calls the Attribute Mapping Service to convert the ARP into one that contains the external attributes, Attribute Authoritys, Authentication Services and Identity Providers that may be capable of fulfilling the policy. Note that an Authentication Service will only occur in this policy if the Openstack Gateway requires a PID for the user from a trusted Authentication Service (and does not trust the Attribute Authority to issue one). Note that if the ARP is fixed then the mapping can also be fixed.&lt;br /&gt;
# Openstack Gateway passes the set of external attributes, Attribute Authoritys, Authentication Services and Identity Providers back to the client as an External Attributes Requirements Policy (EARP).&lt;br /&gt;
# The client passes the policy to its intelligent Attribute Aggregation component ([[AtAg]]) which filters the policy against the user’s attributes.&lt;br /&gt;
# Attribute Aggregator asks the user which of his possible attributes (and issuers) he wants to use to access the Cloud Service Provider e.g. he may have several roles, credit cards, email addresses etc. and can choose between them. He may have several Identity Providers and Attribute Authoritys that can fulfil the attribute requirements of the policy. The user chooses his preferred attributes (and its issuer).&lt;br /&gt;
# Attribute Aggregator contacts the Directory service, passing it the name of the user’s chosen Attribute Authority, to find out the latest contact details (meta information) of it. Note. If Attribute Aggregator has this information configured into it, then this step can be omitted.&lt;br /&gt;
# Attribute Aggregator contacts the Request Issuing Service (RIS) to obtain a properly formatted Attribute request in the correct protocol. It is returned a binary blob (the attribute request message). The attribute request contains the set of attributes required by Openstack Gateway. Note that the intelligent Attribute Aggregator may have the RIS as a built in service.&lt;br /&gt;
# Attribute Aggregator contacts the chosen Attribute Authority, sending it the binary blob.&lt;br /&gt;
# The Attribute Authority asks Attribute Aggregator to authenticate via its Authentication Service, passing it the login URL. The Attribute Authority may only use one Authentication Service, or it may use several in which case it will ask Attribute Aggregator (i.e. the user) to choose which Authentication Service it normally uses.&lt;br /&gt;
# The user chooses which Authentication Service he wants to use&lt;br /&gt;
# Attribute Aggregator contacts the Authentication Service at its login URL.&lt;br /&gt;
# Authentication Service authenticates the user by its chosen method (out of scope of this proposal). It could be PKI based, Kerberos based, simple UN/PW, or OTP etc. How strongly the user is authenticated is reflected in the Level of Assurance (LoA) that is returned in the response (providing the protocol supports this).&lt;br /&gt;
# Having identified and authenticated the user, the Authentication Service returns the authentication assertion to Attribute Aggregator containing the PID of the user (as a binary blob)&lt;br /&gt;
# Attribute Aggregator passes the assertion to the Attribute Authority.&lt;br /&gt;
# The Attribute Authority validates the assertion, looks up the user in its database and returns the attribute (and possibly authentication) assertion to Attribute Aggregator&lt;br /&gt;
# Depending upon Openstack Gateway’s EARP, Attribute Aggregator may return either the attribute (and authentication) assertion from the Attribute Authority, or the attribute assertion from the Attribute Authority and the authentication assertion from Authentication Service to the client.&lt;br /&gt;
# The client passes the response to Openstack Gateway.&lt;br /&gt;
# From now on it is the same as from step 15 in the single Identity Provider, simple client case.&lt;br /&gt;
&lt;br /&gt;
== Mode of Operation with Attribute Aggregation ==&lt;br /&gt;
''NOTE. There is currently no plan to implement attribute aggregation, so the following should be regarded as an approximate outline only, and it may contain errors.''&lt;br /&gt;
&lt;br /&gt;
Attribute aggregation is required when the Openstack Gateway needs attributes from multiple trusted sources and a single Identity Provider is insufficient to verify the identity of the user. Thus multiple Identity Providers are required (or multiple Attribute Authoritys and an Identity Provider or Authentication Service).&lt;br /&gt;
&lt;br /&gt;
With multiple Identity Providers it would be possible to simply ask the user to authenticate to each Identity Provider separately in order to pick up each set of attributes. Multiple authentication exchanges are inconvenient to the user, so the mechanism should be able to support SSO. However, SSO requires that some component stores the PIDs of the user at each Identity Provider/Authentication Service and can map between them, or that the user is known by the same PID at each Identity Provider/Authentication Service, which is unlikely (unless it is a government issued eID). A crude SSO mechanism is that the Attribute Aggregator could securely store the user’s credentials at each Identity Provider and have one strong master PW to unlock them all. Then Attribute Aggregator could authenticate directly to each Identity Provider in order to pick up the user’s attributes.&lt;br /&gt;
&lt;br /&gt;
If we have Attribute Authorities and Authentication Services, if each Attribute Authority uses/trusts the same Authentication Service (or Identity Provider), then the Authentication Service can issue PIDs for each Attribute Authority, and use SSO when each Attribute Authority redirects the user to it for authentication. In this case the Attribute Authorities only need to trust the same Authentication Service and Attribute Aggregator can aggregate all the attribute assertions by contacting each Attribute Authority in turn, and then send the full set of attributes to the Openstack Gateway.&lt;br /&gt;
&lt;br /&gt;
It is also possible for Identity Providers to mutually trust each other and allow SSO between themselves. This can work as follows. The user authenticates to one Identity Provider, which asks the user if he wants to federate his identity with another Identity Provider. If the user agrees, Identity Provider1 (acting as an SP) redirects the user to Identity Provider2, whereupon the user authenticates and Identity Provider2 returns the user’s PID2 to Identity Provider1. From now on the user can pick up his attributes from Identity Provider1 by being authenticated by Identity Provider2. The user goes to Identity Provider1, is redirected by Identity Provider1 to Identity Provider2, where he authenticates, his PID2 is sent to Identity Provider1, whereupon his attributes are returned to him. If all the Identity Providers federate with and trust Identity Provider2, it can hold the set of PIDs for this user, and the user can use Identity Provider2 for SSO. Attribute Aggregator can collect attribute assertions from each Identity Provider in turn to give to Openstack Gateway, and the user only needs to authenticate once (to Identity Provider2).&lt;br /&gt;
&lt;br /&gt;
If the user has not federated all his Attribute Authorities and Identity Providers to a single authentication service (Authentication Service or Identity Provider) then SSO is not possible without additional support from Attribute Aggregator. We can use Attribute Aggregator to hold the PID mappings as follows. Attribute Aggregator has its own key pair, certified by a CA trusted by the federation Identity Providers. Attribute Aggregator initially acts as an SP to each Identity Provider and asks the Identity Provider to authenticate the user. The user authenticates to the Identity Provider, which returns the user’s PID to Attribute Aggregator. Attribute Aggregator can subsequently mutually authenticate with the Identity Provider using its key pair, and ask to pick up the user’s attributes by quoting the relevant PID.  Providing the Identity Provider is happy to release the user’s attributes at any time to the Attribute Aggregator SP, this will work. If however, the Identity Provider wants proof that the user is currently logged in to the SP, then Attribute Aggregator can give the Identity Provider the current authentication assertion issued to the user by the current Authentication Service. Providing the Identity Provider trusts this Authentication Service it should be prepared to return the user’s attributes to Attribute Aggregator. Alternatively, Attribute Aggregator could securely store the user’s authentication credentials at each Identity Provider and have one strong master PW to unlock them all. Then Attribute Aggregator could authenticate directly to each Identity Provider in order to pick up the user’s attributes.&lt;br /&gt;
&lt;br /&gt;
In the flow below we assume that the user has federated all his attribute issuers (Attribute Authoritys and Identity Providers) with a single authentication service (AS). The protocol flow is the same as that in using an Authentication Service and Attribute Authority, up to step 17, after which one or more additional Attribute Authorities are contacted. The protocol flow then resumes as in step 18 of using an Authentication Service and Attribute Authority.&lt;br /&gt;
&lt;br /&gt;
The swimlanes for this protocol flow is available here  [[attachment:SwimlaneAttAgg.pdf]]&lt;br /&gt;
&lt;br /&gt;
18. Attribute Aggregator contacts RIS asking for an attribute request for AA2 and is returned the binary message.&lt;br /&gt;
&lt;br /&gt;
19. Attribute Aggregator passes the message to AA2 asking for the user’s attributes&lt;br /&gt;
&lt;br /&gt;
20. The Attribute Authority asks Attribute Aggregator to authenticate via its Authentication Service, passing it the login URL. The Attribute Authority may only use one Authentication Service, or it may use several in which case it will ask Attribute Aggregator (i.e. the user) to choose which Authentication Service it normally uses.&lt;br /&gt;
&lt;br /&gt;
21. Attribute Aggregator chooses the Authentication Service already in use and contacts the Authentication Service at its login URL passing it the existing session cookie.&lt;br /&gt;
&lt;br /&gt;
22. Authentication Service sees that the user is currently logged in, so returns the authentication assertion for AA2 (containing the PID of the user) to Attribute Aggregator&lt;br /&gt;
&lt;br /&gt;
23. Attribute Aggregator forwards the authentication assertion to AA2&lt;br /&gt;
&lt;br /&gt;
24. AA2 validates the assertion, looks up the user in its database and returns the attribute (and possibly authentication) assertion to Attribute Aggregator&lt;br /&gt;
&lt;br /&gt;
25. Attribute Aggregator returns the complete set of assertions to the client as in step 18 of using an Authentication Service and Attribute Authority&lt;br /&gt;
&lt;br /&gt;
== Appendix 1. Attribute Assertions vs Authentication Assertions ==&lt;br /&gt;
Once we progress towards an attribute based authorisation infrastructure, the difference between attribute and authentication assertions should disappear. The former is a more generic assertion than the latter. Authn assertions only contain an ID attribute (which may be a public key) plus details of how strongly the user was authenticated. Attribute assertions may contain any attribute (including an ID attribute or public key) and should contain details of how strongly the user was authenticated in order to obtain the attribute assertion. Thus we should be able to dispense with authentication assertions and only have attribute assertions, providing of course each attribute assertion contains details of how strongly the user was authenticated in order to obtain it.&lt;br /&gt;
&lt;br /&gt;
== Appendix 2. Attributes vs Attribute Authorities ==&lt;br /&gt;
Attributes may be globally defined, e.g. visa attributes, or locally defined e.g. member of club X. Globally defined attributes are often specified in international standards and may be used in several different domains and federations. Their syntax and semantics are fixed, regardless of which Attribute Authority issues them. Local attributes are defined by their issuing attribute authority and usually are only valid in the domain or federation in which the Attribute Authority is a member. For locally identifiable attributes the attribute authority (issuer) must be globally identifiable (in the federation). The attribute then becomes globally identifiable through hierarchical naming (Attribute Authority.attribute).&lt;br /&gt;
&lt;br /&gt;
Trust in an attribute assertion is always decided by the relying party. However, relying parties would normally only trust local attributes that are issued by the Attribute Authority which defines them. For example. No RP would believe an Attribute Authority who said I was a member of club X, if the Attribute Authority for club X was not prepared to assert this. (Note that with delegation of authority this is slightly different, because a member of club X may also act as an Attribute Authority and assert that someone else is a member of club X. But the original assertion of membership came from the Attribute Authority (or SoA) of club X.)&lt;br /&gt;
&lt;br /&gt;
Globally defined attributes may be issued by many different Attribute Authoritys. So the RP has to specify which Attribute Authority it trusts to issue which globally defined attributes. If an attribute is very popular there may be hundreds or thousands of Attribute Authoritys which issue it, e.g. role. The Visa attribute is one such attribute which is issued by hundreds of banks (as plastic credit cards). However, in the Visa case, it supports delegation of authority and there is only one Source of Authority for the Visa attribute. Relying parties have a central service they can contact to ask if the issuer and attribute assertion (credit card) is valid or not. So they do not need to specify who they trust to issue this attribute, they simply specify that they accept this attribute, regardless of who issued it, because they have a trusted server for checking if the issuer (and the assertion) is genuine or not. Note that in the case of Visa these are long lived assertions, so a means of revocation checking is essential. In this case the revocation checking process serves to check if the issuer is trusted as well as if the assertion is still valid. When we use short lived assertions the situation is different, since there is no revocation checking mechanism. It is deemed to be not needed since a valid assertion will never be revoked. But we still have the issue of knowing whether the issuer is genuine or not. Simply checking the digital signature is not enough, since anyone can get a valid PKC from Verisign and with this can sign anything. Consequently anyone can issue a short lived Visa attribute assertion. So how does the relying party know if this is a valid issuer or not, given that there is no revocation checking mechanism? One solution is for the RP to keep a list of trusted Attribute Authoritys for each globally defined attribute. But this potentially has a scalability problem. Delegation of authority is the way of solving the scalability issue. In this case we have one root Attribute Authority (the Source of Authority, SoA) and all other Attribute Authoritys are delegated by it. In this case the RP only needs to trust the SoA and then any Attribute Authority delegated by the SoA is a trusted Attribute Authority. We can support delegation of authority either by having assertion chains (SoA-&amp;gt; Attribute Authority) or a central service run by the SoA for checking the validity of an Attribute Authority (as in the Visa case).&lt;br /&gt;
&lt;br /&gt;
== Glossary ==&lt;br /&gt;
AA  – Attribute Authority. An authoritative source of user attributes E.g. a  bank can provide a credit card attribute, a university a degree  attribute, an employer the role attribute etc.&lt;br /&gt;
&lt;br /&gt;
AM – Attribute Mapper. Maps from externally provided attributes into  the equivalent internal attributes (roles/projects etc) used by cloud services, or vice versa.&lt;br /&gt;
&lt;br /&gt;
ARP – Attribute Requirements Policy. Created by a service provider to  inform the user which attributes, from which trusted authorities, and to  which level of assurance, are needed in order to access the service&lt;br /&gt;
&lt;br /&gt;
AS  – Authentication Service. Is able to authenticate a user and issue an  (authentication) assertion containing a unique persistent identifier  (PID) for each user. May or may not know who the user actually is in the  physical world – this is specified in the Level of Assurance of the  issued assertion - but can determine that it is the same virtual user  every time. One can consider an AS to be an Identity Provider that only issues a PID  attribute and no other attribute.&lt;br /&gt;
&lt;br /&gt;
[[AtAg]]  – Attribute Aggregator, an intelligent component of the client that is responsible for  evaluating the service’s attribute requirements policy, and then  contacting the set of Identity Providers/AAs/ASs as necessary to obtain the identity  attributes required to access the service. It is fully controlled by the  user. It knows which Identity Providers and AAs hold which attributes for this user.  It also holds user self-asserted attributes. It may also know how to  authenticate the user to each Identity Provider and AA/AS.&lt;br /&gt;
&lt;br /&gt;
Authz  – Authorisation Service. Given an authz request “can a user with these  identity attributes access this resource” typically returns granted or  denied&lt;br /&gt;
&lt;br /&gt;
Client – the basic software necessary for interfacing to the  cloud on behalf of the user. Could be a standard browser or command line  client.&lt;br /&gt;
&lt;br /&gt;
Cloud Service Provider 1…n (CSPs) – these are the cloud service  providers that are using the [[OpenStack]] Gateway to provide is identity and access management functionality&lt;br /&gt;
&lt;br /&gt;
CVS  – Credential Validation Service. Given an authentication and/or  attribute assertion will return the set of valid identity attributes. Is  driven by a credential validation policy&lt;br /&gt;
&lt;br /&gt;
Dir  – Directory Service (enhanced Keystone Service Catalog). Contains the set of identity and attribute  authorities and cloud service providers and the  information needed to contact them (so called meta data). &lt;br /&gt;
&lt;br /&gt;
IdP  – Identity Provider. A combination of an Authentication Service and  Attribute Authority. Can issue authentication and attribute assertions.&lt;br /&gt;
&lt;br /&gt;
FK – Federated Keystone. An enhanced version of Keystone which can federate with external Identity Providers. It is a proxy IDP, in that it is seen to be an IdP by the CSPs, but a service provider by the external IdPs.&lt;br /&gt;
&lt;br /&gt;
RIS  – Request Issuing Service. Given the output of the directory service,  issues the federated authentication and attribute request in the  appropriate protocol. There may be one RIS per federation protocol that  is supported.&lt;br /&gt;
&lt;br /&gt;
TIS – Token Issuing Service. Provides tokens to OG for it to give to the user/client&lt;br /&gt;
&lt;br /&gt;
TVS – Token Validation Service. Validates the tokens given to OG by the Cloud Service Providers&lt;br /&gt;
&lt;br /&gt;
== MSc Dissertation ==&lt;br /&gt;
An MSc dissertation describing the first prototype implementation can be downloaded from [http://dl.dropbox.com/u/44986510/Yanndissertation.pdf MSc Dissertation]. Please note that the current implementation is already an enhancement of this, and has started to remove many of the limitations of the original implementation. Nevertheless the disseration provides useful backgroung reading to implementors&lt;/div&gt;</summary>
		<author><name>Kwss</name></author>	</entry>

	</feed>