Federated Identity Management
Non-Federated users
The diagram below depicts authentication to OpenStack cloud using an LDAP-integrated Openstack user domain:
Via Local Accounts in Active Directory
Non-Aristotle Users
See detailed instructions for an LDAP-integrated domain in OpenStack.
Federated Login
Aristotle Federation access to the cloud requires:
- Authentication via Globus Auth. Find instructions for configuring OpenStack for Single Sign On with Globus.
- Access control based on the authenticated identity. Access management can be based on a backend directory or to the OpenStack cloud only
Integrating with a Backend Directory
In this option the Aristotle portal provides Aristotle User account information populates group/project information in the backend Active Directory/LDAP server. A script generates the required OpenStack mapping by querying AD/LDAP
(sample script).
Using a Backend Enables the following:
- Local Active Directory/LDAP can manage users from the Aristotle Federation
- If the Local Active Directory/LDAP has required Globus subscription; all (local and federation) users can use Globus Auth to log in
- Users can access all local and Aristotle projects in Horizon, regardless of which authentication method is used
Federated Login Option 1
Integrating with Cloud Only
This option simply generates the required Openstack mapping via a script from the Aristotle portal info.
The local backend Active Directory/LDAP can be left untouched.
Federated Login Option 2