Identity Service Introduction

Introducing the HP Cloud Identity Service

The HP Cloud Identity Service provides one-stop authentication for all HP Cloud Service offerings and an OpenStack Keystone compatible API. Before you start using HP Cloud Services and the HP Cloud Identity Service it might help to explain a few things. First let’s talk about how the HP Cloud Identity Service works and how your requests are authenticated. At a high level, the process looks like this:

  1. First, a User sends an authentication request to the Identity Service. You can send your access key and secret key (recommended) or your username and password to prove that you are who you say you are.
  2. Next, the Identity Service responds with an Authentication Token (a string that must be used for subsequent requests to other services) and a Service Catalog (a list of services available to you and the endpoints that you access using the Authentication Token).
  3. Finally, a User sends requests to the services from the Service Catalog, passing along the Authentication Token. All HP Cloud Services are integrated with the Identity Service so that the Authentication Token can correctly identify a User and provide the appropriate access.

Tenants and Scoped vs Unscoped Tokens

An important concept to understand when working with the new HP Cloud Identity Service is the Tenant. A Tenant is a collection of HP Cloud Services subscriptions and/or resources. Think of a Tenant as a set of Compute, Storage and/or other resources that you might use for a project you are working on. Today your account has only one Tenant and all your HP Cloud resources are managed within that one Tenant. Over time, we’ll add the ability to manage multiple Tenants so that you can group your resources as you see fit. As mentioned above, each Tenant also has a Service Catalog. As you dig deeper and start to develop using the Identity Service the Tenant ID and the associated Service Catalog will become more useful and important to you.

Next, let’s talk about Scoped Tokens vs. Unscoped Tokens. A Scoped Token is associated with a Tenant and can be used to access HP Cloud Services or resources managed within that Tenant. In other words, you need a Scoped Token to access the services and other resources within your account. The Service Catalog returned with a Scoped Token includes all the services that are available to you.

An Unscoped Token, on the other hand, is not associated with a Tenant and thus cannot be used to access the services or resources within your account. Instead, Unscoped Tokens are used to access only the Identity Service itself. That is, you can use Unscoped Tokens to make Identity Service API calls. For example, if you need to determine information about your Tenant, you would use an Unscoped Token to call the Identity Service.

When you make a Scoped Token request, the returned service catalog will include endpoints to the service that are available to you plus endpoints available in general like for the Identity Service. In an Unscoped Token request, the service catalog will only include endpoints available in general. Because you need a Scoped Token to access your services, incorporating Tenant IDs into your calls is important.

The Identity Service REST API allows you to authenticate Users, list Tenants available to your User, rescope an existing Authentication Token to an available Tenant, and invalidate an existing Authentication Token. In case your head is spinning and you have an awful headache, let’s go through a conceptual example to make all this clearer.

A Detailed Identity Service Example

Suppose we had a User named who has activated the HP Cloud Compute service only. His own Tenant is the same as his login name and he’d like to obtain a Scoped Authentication Token for his Tenant. How would he do this?

NOTE: The example below authenticates with username/password and Tenant Name for clarity purposes. While this is perfectly valid, HP Cloud Services recommends authenticating with access key/secret key and Tenant ID for two reasons. First and foremost, a breach of access keys is far more recoverable than one involving username/password. Second, your Tenant ID will never change, whereas in the future your Tenant Name can be changed. By using your Tenant ID you guarantee that a changed Tenant Name won’t break your application.

In step #1, the User authenticates with his username/password and Tenant Name. The response in step #2 contains an Authentication Token “XYZ” and a Service Catalog that contains a list of the services activated for the Tenant in question along with the Identity Service. XYZ is a Scoped Token for both the HP Cloud Identity Service and HP Cloud Compute. Had no Tenant Name been sent with this request, XYZ would be an Unscoped Token whose Service Catalog contained only the Identity Service.

For More Information

More information about the HP Cloud Identity Service will be available, after the maintenance, on the technical documentation portion of the HP Cloud Services website, found at:

Rate This Article: 
Average: 4.8 (8 votes)