...
For the purpose of this pilot, we have enabled federated access to the dashboard of a demo OpenStack Cloud deployment and we are using a set of dummy users registered in the testbed IdP. Specifically, the pilot IdP proxy has been configured to authenticate users and communicate the result of the authentication to a COmanage instance an OpenStack's Identity service (Keystone) using SAML assertions. In COmanage Before passing the authentication results to OpenStack, the pilot IdP proxy contacts a Comanage instance, on which it was created some collaborations (CO) which that have a corresponding project into OpenStack in order to map for properly mapping the users, so : it is added attached to the SAML assertion any eventual Entitlement additional entitlement regarding the users membership to the COs. At this point the new SAML assertion is passed to OpenStack 's Identity service (Keystone), and it is mapped to keystone user groups, based on which, the authenticating user can access cloud resources using their federated AARC ID.
...