Dealing with Domains

Mapping federated users to domains

To map a SAML user to a domain, one needs to use a SAML mapping inside keystone which specifies which remote attributes map to which openstack keystone features:

Applying mapping

$ openstack mapping create –rules rules.json saml_mapping

Checking mapping

$ openstack mapping show saml_mapping -f json

As an example of such a file, we report here the following one:

{
  "rules": [
    {
      "local": [
        {
          "user": {
            "domain": {
              "name": "{1}"
            },
            "type": "local",
            "name": "{0}"
          }
        }
      ],
      "remote": [
        {
          "type": "eppn"
        },
        {
          "type": "schacHomeOrganization"
        }
      ]
    },
    {
      "local": [
        {
          "user": {
            "domain": {
              "name": "{1}"
            },
            "type": "local",
            "name": "{0}"
          }
        }
      ],
      "remote": [
        {
          "type": "eppn"
        },
        {
          "type": "schacHomeOrganization"
        }
      ]
    },
    {
      "local": [
        {
          "group": {
            "id": "719282eb40474222806f8c6bc61ac7e8"
          },
          "user": {
            "name": "{0}"
          }
        }
      ],
      "remote": [
        {
          "type": "eppn"
        },
        {
          "type": "schacHomeOrganization"
        },
        {
          "type": "entitlement",
          "any_one_of": [
            "urn:mace:garr.it:cloud:ephemeralUser"
          ]
        }
      ]
    }
  ],
  "id": "saml_mapping"
}