OpenStack Summit November 2014 Paris

Keystone is the reference implementation of the Identity API in OpenStack. It needs to deal with traditional identity concepts such as users and groups as well as centrally managing authorization. This session will cover how Keystone can leverage existing identity sources for authentication and identity information and instead focus on it's primary job of centrally managing access to cloud services and resources.

Keystone has a pluggable architecture that allows it to work with different identity sources. These options range from storing identity information locally to using external identity sources such as an LDAP server or a SAML identity provider. Nearly all companies and organizations already have an existing authoritative identity source that provides centralized authentication and user and group information. Configuring Keystone to use this central identity source is a popular goal for those deploying OpenStack, yet its not straight-forward to actually accomplish due to variations of different identity sources.

In this presentation, Nathan Kinder will review how Keystone has evolved around the concept of identity to date.  An overview of the very latest options for handling identity information will be provided, along with the pros and cons of the available approaches. We will also discuss how Keystone can leverage existing identity sources to provide strong authentication mechanisms in addition to discussing more complex scenarios such as using multiple external identity sources from a single Keystone instance.