Federated Identity Management

Non-Federated users

The diagram below depicts authentication to OpenStack cloud using an LDAP-integrated Openstack user domain:

Via Local Accounts in Active Directory
Non-Aristotle Users

See detailed instructions for an LDAP-integrated domain in OpenStack.

Federated Login

Aristotle Federation access to the cloud requires:

1. Authentication via Globus Auth. Find instructions for configuring OpenStack for Single Sign On with Globus.
2. Access control based on the authenticated identity. Access management can be based on a backend directory or to the OpenStack cloud only

Integrating with a Backend Directory

In this option the Aristotle portal provides Aristotle User account information populates group/project information in the backend Active Directory/LDAP server. A script generates the required OpenStack mapping by querying AD/LDAP (sample script).

Using a Backend Enables the following:

1. Local Active Directory/LDAP can manage users from the Aristotle Federation
2. If the Local Active Directory/LDAP has required Globus subscription; all (local and federation) users can use Globus Auth to log in
3. Users can access all local and Aristotle projects in Horizon, regardless of which authentication method is used

Federated Login Option 1

Integrating with Cloud Only

This option simply generates the required Openstack mapping via a script from the Aristotle portal info. The local backend Active Directory/LDAP can be left untouched.

Federated Login Option 2