Skip to main content

Overview

Domains provide administrative isolation between organizations, business units, or customers. Each domain has its own user namespace, and users in one domain cannot see users in another. A single domain can be configured with its own authentication backend (SQL, LDAP, or federation), making domains the fundamental multi-tenancy boundary in Xloud Identity.
Administrator Access Required — This operation requires the admin role. Contact your Xloud administrator if you do not have sufficient permissions.

Domain Concepts

ConceptDescription
Default domainCreated automatically during deployment. Contains all initial admin users and projects. Cannot be deleted.
Custom domainAdministrator-created domain for a business unit, customer, or organizational boundary.
Domain adminA user with the admin role scoped to the domain. Can manage users and projects within that domain only.
Domain backendEach domain can use a different authentication driver — one domain uses SQL, another uses LDAP.

Create a Domain

Navigate to Domains

Log in with admin credentials. Navigate to Identity → Domains and click Create Domain.

Configure the domain

FieldDescription
NameUnique identifier for the domain
DescriptionPurpose or owner of the domain
EnabledToggle on to allow user authentication

Confirm creation

Click Create Domain.
The domain appears in the Identity → Domains list with status Enabled.

Assign Domain Administrators

As a domain administrator, you can manage users, projects, and groups within your domain without platform-level admin access.
Navigate to the domain’s Members tab. Add a user and assign the admin role to grant domain-level administration privileges.
The domain administrator can now manage users and projects within that domain.

Disable and Delete Domains

Navigate to Identity → Domains, open the domain, and click Edit Domain. Toggle Enabled off to disable the domain. Disabled domains block all authentication for every user in that domain.

Per-Domain Authentication Backends

Each domain can be assigned its own authentication driver. This enables a deployment where the Default domain uses SQL while a corporate domain uses LDAP:
XDeploy globals: per-domain LDAP backend
keystone_domain_config:
  corporate:
    identity:
      driver: ldap
    ldap:
      url: ldap://ldap.corp.example.com
      user_tree_dn: ou=Users,dc=corp,dc=example,dc=com
      user_id_attribute: sAMAccountName
Deploy after configuring:
Apply domain configuration
xavs-ansible deploy --tags keystone

Next Steps

Authentication Backends

Configure LDAP and federation backends for domain authentication.

Service Catalog

Manage endpoint registration across regions for all Xloud services.

Policy Management

Customize RBAC policies for domain-scoped administrative operations.

Security Hardening

Apply security best practices for domain isolation and access controls.