A second method to support SSO access in OpenStack is using OpenID Connect as IdP. The federation flow pretty much resembles to the SAML setup elaborated on in the previous section. The only difference is that, when using OpenID Connect, the assertion represents a set of claims.
The OpenID Connect federation setup in OpenStack can be briefly described with the following steps, as illustrated in the following diagram:
- An OpenStack user or a service requests a resource.
- As SP, the Keystone service captures the request and redirects it to the OAuth authentication system.
- The external IdP requests credentials from ...