Keystone and WebSSO: Using Shibboleth Identity Provider and OpenLDAP with OpenStack Keystone

 This post describes how to set up Web-based Single Sign-On system consisting of OpenStack Keystone, Shibboleth Identity Provider and OpenStack Horizon.
Instruction covered the following configuration: Keystone and Horizon under Apache Web Server with Shibboleth module as Service provider plus Shibboleth Identity Provider as Identity Provider. This configuration is based on SAML v2.0 specifications.
Shibboleth Identity Provider can be easily replaced with any other Identity Provider based on SAML. This fact makes the document usable for other configurations.
Although post describes one specific case it may be useful also for any other configuration of SSO with Keystone because instruction can be used not entirely but in part. This post also contains brief information about Security Assertion Markup Language (SAML) and gives common understanding of Keystone SSO system.

Keystone and SSO: Keystone to Keystone configuration (ECP profile)

This post describes how to set up Single Sign-On system based on ECP profile of SAML standard.
Keystone can be Identity Provider as well as Service Provider. In production environment it means that user can have one Keystone for authentication and general authorization and other as for specific authorization.
We will have following configuration: