yahoo-eng-team team mailing list archive

[Matthieu Huin <mhu@xxxxxxxxxxxx>]

Public bug reported:

On some federation setups (observed on Apache 2.4.7 + shibboleth 2.5.2, on Ubuntu 14.04) the REMOTE_USER environment variable is set to the empty string when performing a SAML-backed authentication, even though shibboleth is configured so that it doesn't populate REMOTE_USER with any assertion.
This causes the external auth method to take over the expected saml2 auth method, and results in a 401 failure since user '' cannot be found.
A workaround is to disable the external auth method in /etc/keystone/keystone.conf.

** Affects: keystone
     Importance: Undecided
     Assignee: Matthieu Huin (mhu-s)
         Status: In Progress

** Changed in: keystone
     Assignee: (unassigned) => Matthieu Huin (mhu-s)

** Changed in: keystone
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1354315

Title:
  REMOTE_USER as empty string results in authentication failure

Status in OpenStack Identity (Keystone):
  In Progress

Bug description:
  On some federation setups (observed on Apache 2.4.7 + shibboleth 2.5.2, on Ubuntu 14.04) the REMOTE_USER environment variable is set to the empty string when performing a SAML-backed authentication, even though shibboleth is configured so that it doesn't populate REMOTE_USER with any assertion.
  This causes the external auth method to take over the expected saml2 auth method, and results in a 401 failure since user '' cannot be found.
  A workaround is to disable the external auth method in /etc/keystone/keystone.conf.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1354315/+subscriptions