Technical Blogs
Integration with external directory

๐Ÿ—‚๏ธ Xloud XAVS โ€“ User Identity & Access Management (IAM)


1. ๐Ÿ”Ž Introduction

Xloud XAVS OpenStack includes a robust, multi-domain Identity and Access Management (IAM) system that supports both internal user management and integration with external authentication providers, including corporate directories and modern federated identity platforms such as:

  • Active Directory / LDAP
  • Keycloak
  • Shibboleth
  • OpenID Connect (OIDC)
  • SAML2-based IdPs
  • eduGAIN / ADFS / Okta / Auth0

This allows organizations to seamlessly connect existing user identities to their OpenStack environments without requiring manual account creation or additional credentials.


2. ๐Ÿงฑ Architecture Overview

๐Ÿ”น Identity Management Architecture

  1. Internal User Management via Keystone Native Keystone domain stores for managing tenant-local users, service accounts, and admin roles.

  2. External Authentication Integration Xloud XAVS supports federated identity via SAML2 and OIDC, and directory integration using LDAP or Active Directory.

  3. Multi-Domain Architecture Users from external IdPs or directories can be scoped into dedicated identity domains, separate from internal OpenStack accounts.

  4. Group-to-Role Mapping External identity groups (e.g., AD/Keycloak groups) are mapped to OpenStack roles and project access automatically.


3. โœจ Key Features

  • ๐Ÿง‘โ€๐Ÿ’ผ Internal Keystone Users Create and manage users, projects, and roles directly in Xloud XAVS.

  • ๐Ÿ” Federated Login Support Authenticate via Keycloak, SAML2, OIDC, Shibboleth, and other identity brokers.

  • ๐Ÿข Enterprise Directory Integration Connect to LDAP or Microsoft Active Directory for user authentication and group-based access control.

  • ๐Ÿ”„ Seamless Role Mapping External group membership translates into OpenStack roles via mapping rules.

  • ๐Ÿ—‚๏ธ Multi-Domain & Multi-Tenant Separate identity domains per customer or business unit to isolate authentication.


4. ๐Ÿงฐ Use Cases

Use CaseDescription
Enterprise SSOUsers log into Horizon or OpenStack CLI with existing corporate credentials via SAML or OIDC.
Multi-Tenant HostingIsolated domains for each tenant, with delegated identity sources.
University Federated AccessEnable Shibboleth/eduGAIN integration for academic institutions.
DevOps Identity FederationIntegrate with Keycloak, Okta, or Auth0 for cloud-native DevSecOps workflows.
Internal/External Hybrid AuthCombine local OpenStack users and federated identities for maximum flexibility.

5. ๐Ÿ”— Integration Highlights

๐Ÿ”น Internal Keystone Users

  • Local to OpenStack, managed via Horizon or CLI
  • Scoped per domain/project
  • Ideal for automation or isolated tenants

๐Ÿ”น LDAP / Active Directory

  • Bind to AD or OpenLDAP via Keystone backend
  • Map LDAP groups to OpenStack roles
  • Password management externalized

๐Ÿ”น Keycloak (OIDC/SAML2)

  • Acts as identity broker for users from LDAP, Google, Azure AD, etc.
  • Supports multi-tenant token issuance, MFA, and group claims
  • Fully compatible with Keystone federation (OIDC or SAML2)

๐Ÿ”น Shibboleth / SAML2

  • Integrates with federated academic or government identity frameworks
  • Supports eduGAIN, InCommon, and others

๐Ÿ”น OpenID Connect (OIDC)

  • Token-based authentication with providers like:

    • Keycloak
    • Okta
    • Auth0
    • Azure AD
    • Google Workspace

6. ๐Ÿค– Automation and Operational Fit

  • User Provisioning:

    • Mapping rules automatically create user sessions upon first login
    • No need to pre-create accounts
  • MFA & Conditional Access:

    • Handled by external IdPs like Keycloak, Okta, or AD FS
  • Role & Project Assignment:

    • Based on group membership and Keystone mapping rules
  • Audit & Logging:

    • Full traceability of logins and role assignments
    • Compatible with external SIEM or audit tools
  • CLI & Horizon Support:

    • Federated users can access OpenStack via Horizon or CLI with scoped tokens

7. โœ… Summary & Positioning

Xloud XAVS IAM offers secure, centralized, and highly flexible user authentication and access management across projects, tenants, and cloud services. It supports:

  • Native user management via OpenStack Keystone
  • Integration with enterprise identity platforms like LDAP, Active Directory
  • Federation with modern providers including Keycloak, Shibboleth, Okta, Azure AD, Google, Auth0
  • Multi-domain and multi-tenant configurations for hosted environments

๐ŸŸข Customer Experience: Users can log in with existing corporate or federated credentialsโ€”no new accounts, no extra passwords, and complete policy control.


๐Ÿ“Š Companion Visual Diagram (Conceptual)

+-----------------------------+
|        User Login           |
+-----------------------------+
           |
           v
+-----------------------------+
|    Xloud XAVS Keystone IAM  |
+-----------------------------+
|  - Internal Keystone Users  |
|  - LDAP / AD Integration    |
|  - Federation Engine        |
|     - SAML2 / OIDC          |
|     - Keycloak / Okta       |
|     - Google / Auth0        |
+-----------------------------+
           |
           v
+-----------------------------+
| OpenStack Access Granted    |
| (Horizon, CLI, API)         |
| - Role Mapping              |
| - Scoped Tokens             |
+-----------------------------+

ยฉ Copyright@xloud.tech