2.4. Identity

Red Hat Enterprise Linux OpenStack Platform now adds support for hierarchical ownership of objects. This allows you to modify the organizational structure of RHEL OpenStack Platform, creating nested projects in Identity.

Federated Identity establishes trust between Identity Providers (IdP) and the services provided by an OpenStack Cloud to an end user. Federated Identity provides a way to securely use existing credentials to access cloud resources such as servers, volumes, and databases across multiple endpoints provided in multiple authorized clouds using a single set of credentials, without having to provision additional identities or log in multiple times. The credentials for users and groups are maintained by the user's Identity Provider.

Federated users are not mirrored in the Identity service back end (for example, using the SQL driver). The external Identity Provider is responsible for authenticating users, and communicates the result of the authentication to Identity service using SAML assertions. SAML assertion contains information about a user as provided by an Identity Provider. Identity service maps the SAML assertions to Keystone user groups and assignments created in Identity service.

RHEL OpenStack Platform now provides the ability for users to authenticate via a web browser with an existing Identity Provider (IdP), through a single sign-on page.