๐๏ธ Xloud XAVS โ User Identity & Access Management (IAM)
1. ๐ Introduction
Xloud XAVS OpenStack includes a robust, multi-domain Identity and Access Management (IAM) system that supports both internal user management and integration with external authentication providers, including corporate directories and modern federated identity platforms such as:
- Active Directory / LDAP
- Keycloak
- Shibboleth
- OpenID Connect (OIDC)
- SAML2-based IdPs
- eduGAIN / ADFS / Okta / Auth0
This allows organizations to seamlessly connect existing user identities to their OpenStack environments without requiring manual account creation or additional credentials.
2. ๐งฑ Architecture Overview
๐น Identity Management Architecture
-
Internal User Management via Keystone Native Keystone domain stores for managing tenant-local users, service accounts, and admin roles.
-
External Authentication Integration Xloud XAVS supports federated identity via SAML2 and OIDC, and directory integration using LDAP or Active Directory.
-
Multi-Domain Architecture Users from external IdPs or directories can be scoped into dedicated identity domains, separate from internal OpenStack accounts.
-
Group-to-Role Mapping External identity groups (e.g., AD/Keycloak groups) are mapped to OpenStack roles and project access automatically.
3. โจ Key Features
-
๐งโ๐ผ Internal Keystone Users Create and manage users, projects, and roles directly in Xloud XAVS.
-
๐ Federated Login Support Authenticate via Keycloak, SAML2, OIDC, Shibboleth, and other identity brokers.
-
๐ข Enterprise Directory Integration Connect to LDAP or Microsoft Active Directory for user authentication and group-based access control.
-
๐ Seamless Role Mapping External group membership translates into OpenStack roles via mapping rules.
-
๐๏ธ Multi-Domain & Multi-Tenant Separate identity domains per customer or business unit to isolate authentication.
4. ๐งฐ Use Cases
| Use Case | Description |
|---|---|
| Enterprise SSO | Users log into Horizon or OpenStack CLI with existing corporate credentials via SAML or OIDC. |
| Multi-Tenant Hosting | Isolated domains for each tenant, with delegated identity sources. |
| University Federated Access | Enable Shibboleth/eduGAIN integration for academic institutions. |
| DevOps Identity Federation | Integrate with Keycloak, Okta, or Auth0 for cloud-native DevSecOps workflows. |
| Internal/External Hybrid Auth | Combine local OpenStack users and federated identities for maximum flexibility. |
5. ๐ Integration Highlights
๐น Internal Keystone Users
- Local to OpenStack, managed via Horizon or CLI
- Scoped per domain/project
- Ideal for automation or isolated tenants
๐น LDAP / Active Directory
- Bind to AD or OpenLDAP via Keystone backend
- Map LDAP groups to OpenStack roles
- Password management externalized
๐น Keycloak (OIDC/SAML2)
- Acts as identity broker for users from LDAP, Google, Azure AD, etc.
- Supports multi-tenant token issuance, MFA, and group claims
- Fully compatible with Keystone federation (OIDC or SAML2)
๐น Shibboleth / SAML2
- Integrates with federated academic or government identity frameworks
- Supports eduGAIN, InCommon, and others
๐น OpenID Connect (OIDC)
-
Token-based authentication with providers like:
- Keycloak
- Okta
- Auth0
- Azure AD
- Google Workspace
6. ๐ค Automation and Operational Fit
-
User Provisioning:
- Mapping rules automatically create user sessions upon first login
- No need to pre-create accounts
-
MFA & Conditional Access:
- Handled by external IdPs like Keycloak, Okta, or AD FS
-
Role & Project Assignment:
- Based on group membership and Keystone mapping rules
-
Audit & Logging:
- Full traceability of logins and role assignments
- Compatible with external SIEM or audit tools
-
CLI & Horizon Support:
- Federated users can access OpenStack via Horizon or CLI with scoped tokens
7. โ Summary & Positioning
Xloud XAVS IAM offers secure, centralized, and highly flexible user authentication and access management across projects, tenants, and cloud services. It supports:
- Native user management via OpenStack Keystone
- Integration with enterprise identity platforms like LDAP, Active Directory
- Federation with modern providers including Keycloak, Shibboleth, Okta, Azure AD, Google, Auth0
- Multi-domain and multi-tenant configurations for hosted environments
๐ข Customer Experience: Users can log in with existing corporate or federated credentialsโno new accounts, no extra passwords, and complete policy control.
๐ Companion Visual Diagram (Conceptual)
+-----------------------------+
| User Login |
+-----------------------------+
|
v
+-----------------------------+
| Xloud XAVS Keystone IAM |
+-----------------------------+
| - Internal Keystone Users |
| - LDAP / AD Integration |
| - Federation Engine |
| - SAML2 / OIDC |
| - Keycloak / Okta |
| - Google / Auth0 |
+-----------------------------+
|
v
+-----------------------------+
| OpenStack Access Granted |
| (Horizon, CLI, API) |
| - Role Mapping |
| - Scoped Tokens |
+-----------------------------+