2026 Update: Federated OpenStack CLI, the Modern Way
This post dates from 2018, when SAML 2.0 ECP was the cleanest answer for scripted OpenStack authentication against a federated identity provider. Eight years later, the landscape has shifted. Here’s what I recommend today, drawn from running federated access on production OpenStack clouds including Open Edge Cloud.
Use Application Credentials Instead of ECP
Application Credentials (available since Keystone Queens, 2018) give you a non-interactive authentication method that’s bound to a specific user, project, and optional role set – without embedding SAML IdP configuration in your CLI environment. Once a user has logged in through the federated browser flow and minted an Application Credential, the CLI experience is identical to a non-federated cloud.
A typical workflow on a Keycloak-federated OpenStack cloud:
- Log in to the dashboard via the browser (SSO flow through Keycloak – Google Workspace, Okta, Azure AD, whatever the org uses).
- Under Identity → Application Credentials, create a credential scoped to the project you need CLI access to. Optionally restrict the roles.
- Download the generated
clouds.yamlentry or copy theOS_APPLICATION_CREDENTIAL_IDandOS_APPLICATION_CREDENTIAL_SECRET. - Use
--os-auth-type v3applicationcredentialor setOS_AUTH_TYPE=v3applicationcredential. No identity-provider plugin required in the CLI.
Example clouds.yaml Entry
<code>clouds:
my-federated-cloud:
auth_type: v3applicationcredential
auth:
auth_url: https://cloud.example.org:13000/v3
application_credential_id: 5fa...5f
application_credential_secret: "__REDACTED__"
region_name: RegionOne
interface: public
identity_api_version: 3</code>Then simply: openstack --os-cloud my-federated-cloud server list.
Why This Matters
- Revocable without touching the IdP. An orphaned App Credential can be deleted in the dashboard; ECP credentials depended on the upstream IdP being configured for Resource Owner Password Credentials, which most modern IdPs discourage or disable outright.
- No lxml or IdP plugins in CI. ECP pulls heavy Python XML machinery. App Creds use standard Keystone v3 auth – clean container images, fewer dependencies to vet for CVEs.
- Role-scoped. You can mint a read-only App Cred for a reporting pipeline and a project-admin credential for Terraform, issued from the same federated user identity.
- MFA-friendly. Because the credential is minted post-SSO, it inherits the security posture of the original federated login without forcing the CLI to participate in the MFA challenge.
When ECP Still Makes Sense
A narrow set of use cases still favors ECP: legacy IdPs that don’t support device-grant or OIDC, air-gapped environments where opening a browser isn’t possible, or scripted re-authentication flows tied to headless service accounts. The original 2018 guide below still works for those scenarios – just recognize that for anyone who can click through a browser once, Application Credentials are the cleaner answer.
Working on OpenStack federation, Keycloak integration, or CLI access patterns for a production cloud? Get in touch – this is an area I work in every week. You can also evaluate Open Edge Cloud, which ships with Keycloak-to-Keystone federation and Application Credentials configured out of the box.
Original Post (2018)
Preserved for historical reference and for the narrow set of environments where ECP is still the right answer.
If you’re using SAML 2.0 Enhanced Client or Proxy (ECP) with OpenStack Keystone, it may not be obvious how to use the mainstream OpenStack client to authenticate. The example RC file below will hopefully shed some light on how to get started. Comments/questions are welcome! [box type=”info”] If you get an error such as “Missing value identity-provider-url required for auth plugin v3samlpassword” or if you do not see “v3samlpassword” listed in “–os-auth-type” when running “openstack –help”, you need to install “lxml” into your available Python packages. You can do this using a package manager or using “pip install lxml”.[/box]
<code><pre style='color:#000000;background:#ffffff;'><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_AUTH_URL</span><span style='color:#808030; '>=</span>https<span style='color:#808030; '>:</span><span style='color:#40015a; '>/</span><span style='color:#40015a; '>/cloud.example.org</span><span style='color:#808030; '>:</span><span style='color:#008c00; '>13000</span><span style='color:#40015a; '>/v3</span><!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_REGION_NAME</span><span style='color:#808030; '>=</span>RegionOne<!--
--> <!--
--><span style='color:#696969; '># Endpoint information</span><!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_IDENTITY_API_VERSION</span><span style='color:#808030; '>=</span><span style='color:#008c00; '>3</span><!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_INTERFACE</span><span style='color:#808030; '>=</span>public<!--
--> <!--
--><span style='color:#696969; '># Credentials</span><!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_PASSWORD</span><span style='color:#808030; '>=</span>__MYPASSWORD__<!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_USERNAME</span><span style='color:#808030; '>=</span>__MYUSERNAME__<!--
--> <!--
--><span style='color:#696969; '># OpenStack domain/project information</span><!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_PROJECT_DOMAIN_NAME</span><span style='color:#808030; '>=</span>__MYDOMAIN__<!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_PROJECT_NAME</span><span style='color:#808030; '>=</span>__MYPROJECT__<!--
--> <!--
--><span style='color:#696969; '>##</span><!--
--><span style='color:#696969; '># SAML 2.0 ECP information</span><!--
--><span style='color:#696969; '>##</span><!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_AUTH_TYPE</span><span style='color:#808030; '>=</span>v3samlpassword<!--
--><!--
--><span style='color:#696969; '># Federation Identity Provider (IdP) can be found using the following:</span><!--
--><span style='color:#696969; '># openstack identity provider list</span><!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_IDENTITY_PROVIDER</span><span style='color:#808030; '>=</span>__MYIDP__<!--
--><!--
--><span style='color:#696969; '># Federation protocol can be found using the following:</span><!--
--><span style='color:#696969; '># openstack federation protocol list --identity-provider "__MYIDP__"</span><!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_PROTOCOL</span><span style='color:#808030; '>=</span>__MYPROTOCOL__<!--
--><!--
--><span style='color:#696969; '># Example SimpleSAMLphp AssertionConsumerService (ACS) endpoint</span><!--
--><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_IDENTITY_PROVIDER_URL</span><span style='color:#808030; '>=</span>https<span style='color:#808030; '>:</span><span style='color:#40015a; '>/</span><span style='color:#40015a; '>/example.org/idp/saml2/idp/SSOService.php</span><!--
--></pre></code>
Leave a Reply
You must be logged in to post a comment.