Keystone to Keystone Federation allows multiple OpenStack deployments to share the same identity source. It is useful for cross-region sites where one site is used as the identity source.

Keystone to Keystone configuration uses two VMware Integrated OpenStack deployments. A Keystone instance on the site B deployment authenticates directly with a Keystone instance on the site A deployment. The Keystone instance on site A authenticates with the SQL/LDAP.

Prerequisites

Verify that the public endpoint of the site B deployment can be reached from the internal network of the site A deployment.

Procedure

  1. Log into the VMware Integrated OpenStack deployment on site A.
    1. Enable Keystone as an Identity Provider
      viocli federation idp-metadata set

      Enter input for prompts.

      Prompt

      Description

      Sample Value

      Lang

      Language

      en

      Organization

      Identity Provider organization

      SAML identity Provider

      Identity provider display name

      Identity Provider display name

      OpenStack SAML Identity Provider

      Organization URL

      Human readable name to identify the Identity Provider in Keystone and VMware Integrated OpenStack

      https://www.vmware.com

      Company name of contact person

      Valid company name of the Identity Provider contact person

      Example, Inc.

      Given name of contact person

      Valid given name of the Identity Provider contact person

      John

      Surname of contact person

      Valid surname of the Identity Provider contact person

      Doe

      Email of contact person

      Valid email address for Identity Provider contact person

      john.doe@vmware.com

      Telephone of contact person

      Valid phone number for Identity Provider contact person

      +1 800 555 0100

      Type of contact

      Type of contact person such as other, technical, support, administrative, billing

      technical

    2. Trigger VMware Integrated OpenStack identity configuration.
      viocli identity configure

      Following configuration, expect a period of downtime to your VMware Integrated OpenStack deployment.

    3. Add a Keystone Service Provider for the Keystone instance running on site B.
      viocli federation service-provider add

      Enter input for prompts.

      Prompt

      Description

      Sample Value

      Service Provider name

      Unique name to identify the Service Provider. Name must not include special characters or spaces that the URL cannot interpret.

      keystone_180

      Description

      Human readable name to identify the Service Provider.

      Keystone @ 192.168.112.180

      Keystone address

      Address of the keystone instance on site B

      https://192.168.112.180:5000

      Keystone IdP name

      Value must match the name of the current Keystone Identity Provider specified in the Keystone Service Provider.

      keystone_160

    4. Trigger VMware Integrated OpenStack identity configuration.
      viocli identity configure
  2. Log into the VMware Integrated OpenStack deployment on site B.
    1. Add a Keystone Identity Provider.
      viocli federation identity-provider add

      Enter input for prompts.

      Prompt

      Description

      Sample Value

      Identity provider type

      Enter keystone. Value is case insensitive.

      keystone

      Identity provider name

      Unique name to identify the Identity Provider. Name must not include special characters or spaces that the URL cannot interpret.

      keystone_160

      Identity provider display name

      Human readable name to identify the Identity Provider in Horizon.

      Keystone @ 192.168.112.160

      Description

      Human readable name to identify the Identity Provider in Keystone and VMware Integrated OpenStack.

      Keystone @ 192.168.112.160

      Keystone address to be federated.

      Address of the Keystone instance that acts as an Identity Provider.

      192.168.112.160

      Enter the name of the domain that federated users associate with.

      Name of the domain to which all federated users belong. If uncertain of the domain, enter Default. If it does not exist, VMware Integrated OpenStack creates the domain.

      Default

      Enter the name of the groups that federated users associate with (separated by commas ",").

      Name of the groups to which all federated users belong. If using a customized mapping file, include all defined groups. If no mapping file exists, VMware Integrated OpenStack creates the groups within the domain.

      Keystone Federated Users

    2. Trigger VMware Integrated OpenStack identity configuration.
      viocli identity configure

      Following configuration, expect a period of downtime to your VMware Integrated OpenStack deployment.

What to do next

If you do not want to use the default mapping, you can customize mapping. See Customize Mapping.