Atom feed of this document
  
 

 Configure Identity service for token binding

Token binding embeds information from an external authentication mechanism, such as a Kerberos server, inside a token. By using token binding, a client can enforce the use of a specified external authentication mechanism with the token. This additional security mechanism ensures that if a token is stolen, for example, it is not usable without external authentication.

You configure the authentication types for a token binding in the keystone.conf file:

[token]
bind = kerberos

Currently only kerberos is supported.

To enforce checking of token binding, set the enforce_token_bind option to one of these modes:

  • disabled

    Disables token bind checking.

  • permissive

    Enables bind checking. If a token is bound to an unknown authentication mechanism, the server ignores it. The default is this mode.

  • strict

    Enables bind checking. If a token is bound to an unknown authentication mechanism, the server rejects it.

  • required

    Enables bind checking. Requires use of at least authentication mechanism for tokens.

  • named

    Enables bind checking. Requires use of the specified authentication mechanism for tokens:

    [token]
    enforce_token_bind = kerberos
[Note]Note

Do not set enforce_token_bind = named. The named authentication mechanism does not exist.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...