Identity Service Introduction

Introducing the HP Helion Public Cloud Identity Service

The HP Helion Identity Service provides one-stop authentication for all HP Helion Public Cloud service offerings and an OpenStack Keystone compatible API. Before you start using HP Helion Public Cloud and the Identity Service it might help to understand a few things. First, let’s talk about how the Identity Service works and how your requests are authenticated. At a high level, the process looks like this:

  1. First, a User sends an authentication request to the Identity Service. You can send your access key and secret key (recommended) or your username and password to prove that you are who you say you are.
  2. Next, the Identity Service responds with an Authentication Token (a string that must be used for subsequent requests to other services) and a Service Catalog (a list of services available to you and the endpoints that you access using the Authentication Token).
  3. Finally, a User sends requests to the services from the Service Catalog, passing along the Authentication Token. All HP Helion Public Cloud services are integrated with the Identity Service so that the Authentication Token can correctly identify a User and provide the appropriate access.

Projects and Scoped vs Unscoped Tokens

An important concept to understand when working with the new HP Cloud Identity Service is the Project. A Project is a collection of HP Helion Public Cloud services subscriptions and/or resources. Think of a Project as a set of Compute, Storage and/or other resources that you might use for a project you are working on. Today your account has only one Project and all your resources are managed within that one Project. You have the ability to create multiple projects and manage them as you'd like. As mentioned above, each Project also has a Service Catalog. As you dig deeper and start to develop using the Identity Service the Project ID and the associated Service Catalog will become more useful and important to you.

Next, let’s talk about Scoped Tokens vs. Unscoped Tokens. A Scoped Token is associated with a Project and can be used to access services or resources managed within that Project. In other words, you need a Scoped Token to access the services and other resources within your account. The Service Catalog returned with a Scoped Token includes all the services that are available to you.

An Unscoped Token, on the other hand, is not associated with a Project and thus cannot be used to access the services or resources within your account. Instead, Unscoped Tokens are used to access only the Identity Service itself. You can use Unscoped Tokens to make Identity Service API calls. For example, if you need to determine information about your Project, you would use an Unscoped Token to call the Identity Service.

When you make a Scoped Token request, the returned service catalog will include endpoints to the service that are available to you plus endpoints available in general like for the Identity Service. In an Unscoped Token request, the service catalog will only include endpoints available in general. Because you need a Scoped Token to access your services, incorporating Project IDs into your calls is important.

The Identity Service REST API allows you to authenticate Users, list Projects available to your User, rescope an existing Authentication Token to an available Project, and invalidate an existing Authentication Token. In case your head is spinning and you have an awful headache, let’s go through a conceptual example to make all this clearer.

A Detailed Identity Service Example

Suppose we had a User named who has activated the Compute service only. His own Project is the same as his login name and he’d like to obtain a Scoped Authentication Token for his Project. How would he do this?

NOTE: The example below authenticates with username/password and Project Name for clarity purposes. While this is perfectly valid, HP Helion Public Cloud recommends authenticating with access key/secret key and Project ID for two reasons. First and foremost, a breach of access keys is far more recoverable than one involving username/password. Second, your Project ID will never change, whereas your Project Name can be changed. By using your Project ID you guarantee that a changed Project Name won’t break your application.

In step #1, the User authenticates with his username/password and Project Name. The response in step #2 contains an Authentication Token “XYZ” and a Service Catalog that contains a list of the services activated for the Project in question along with the Identity Service. XYZ is a Scoped Token for both the HP Cloud Identity Service and HP Cloud Compute. Had no Project Name been sent with this request, XYZ would be an Unscoped Token whose Service Catalog contained only the Identity Service.

For More Information

More information about the HP Cloud Identity Service is available on the technical documentation portion of the HP Cloud Services website, found at:

Rate This Article: 
Average: 4.8 (8 votes)