Basically, in comparison with part 1, the Openstack authentication against the Keystone server is now achieved by OpenAM itself, thanks to a specialized authentication module.
Our belgium partners Paradigmo ( http://paradigmo.com/2014/05/06/forgerock-openam-integration-openstack-keystone/ ) enhanced the previous solution exposed in part 1.
This authentication module is also responsible for storing the Keystone token in the user’s OpenAM session, so that it can be later retrieved by the J2EE agent running in the OpenIG web container.
Yet, OpenIG remains, to add keystone tokens to client requests on the fly.
This architecture leverages OpenAM authentication framework and API’s and also benefits from OpenAM session failover feature if enabled. It also makes it easier to store and retrieve Keystone tokens than if it’d been implemented on the OpenIG side.
The diagram below depicts OpenIG internals …