yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1380779] [NEW] SAML protocol must always be called 'saml2'

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matthieu Huin <mhu@xxxxxxxxxxxx>
Date: Mon, 13 Oct 2014 20:22:26 -0000
Reply-to: Bug 1380779 <1380779@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In the v3unscopedsaml plugin in python-keystoneclient, the token url is
built with "saml2" as the default protocol value. However, this value is
a class property and isn't meant to be set at plugin instantiation :
https://github.com/openstack/python-
keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L28

Therefore every auth token url should be of the form
http://X.Y.Z.A:5000/v3/OS-
FEDERATION/identity_providers/.*?/protocols/saml2/auth in order for the
plugin to be usable out of the box.

Short term fix: modify keystone's doc on federation so that
administrators always create protocols called 'saml2'. This makes sense
anyway, since SAML2 is used to authenticate and authorize the users.

Long term fix: allow the protocol name to be an argument when
instantiating the plugin.

** Affects: keystone
     Importance: Undecided
     Assignee: Matthieu Huin (mhu-s)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => Matthieu Huin (mhu-s)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1380779

Title:
  SAML protocol must always be called 'saml2'

Status in OpenStack Identity (Keystone):
  New

Bug description:
  In the v3unscopedsaml plugin in python-keystoneclient, the token url
  is built with "saml2" as the default protocol value. However, this
  value is a class property and isn't meant to be set at plugin
  instantiation : https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L28

  Therefore every auth token url should be of the form
  http://X.Y.Z.A:5000/v3/OS-
  FEDERATION/identity_providers/.*?/protocols/saml2/auth in order for
  the plugin to be usable out of the box.

  Short term fix: modify keystone's doc on federation so that
  administrators always create protocols called 'saml2'. This makes
  sense anyway, since SAML2 is used to authenticate and authorize the
  users.

  Long term fix: allow the protocol name to be an argument when
  instantiating the plugin.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1380779/+subscriptions

Follow ups

[Bug 1380779] Re: SAML protocol must always be called 'saml2'
From: Steve Martinelli, 2016-07-05
[Bug 1380779] Re: SAML protocol must always be called 'saml2'
From: Dolph Mathews, 2014-10-13
[Bug 1380779] [NEW] SAML protocol must always be called 'saml2'
From: Matthieu Huin, 2014-10-13

References

[Bug 1380779] [NEW] SAML protocol must always be called 'saml2'
From: Matthieu Huin, 2014-10-13