- Keystone can now act as a federated identity provider (IdP) for another instance of Keystone by issuing SAML assertions for local users, which may be ECP-wrapped.
- Added support for OpenID Connect as a federated identity authentication mechanism.
- Added the ability to associate many "Remote IDs" to a single identity provider in Keystone. This will help in a case where many identity providers use a common mapping.
- Added the ability for a user to authenticate via a web browser with an existing IdP, through a Single Sign-On page.
- Federated tokens now use the
token
authentication method, although both mapped
and saml2
remain available.
- Federated users may now be mapped to existing local identities.
- Groups specified in the mapping rulesets can be identified by name and domain.
- Groups appearing in federated identity assertions may now be automatically mapped as locally existing groups with local user membership mappings (filtered by white and blacklists).