← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1380779] Re: SAML protocol must always be called 'saml2'

 

** Also affects: python-keystoneclient
   Importance: Undecided
       Status: New

** Changed in: keystone
   Importance: Undecided => Medium

** Tags added: federation

** Tags added: documentation

** Changed in: python-keystoneclient
   Importance: Undecided => Wishlist

** Changed in: python-keystoneclient
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1380779

Title:
  SAML protocol must always be called 'saml2'

Status in OpenStack Identity (Keystone):
  In Progress
Status in Python client library for Keystone:
  Triaged

Bug description:
  In the v3unscopedsaml plugin in python-keystoneclient, the token url
  is built with "saml2" as the default protocol value. However, this
  value is a class property and isn't meant to be set at plugin
  instantiation : https://github.com/openstack/python-
  keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L28

  Therefore every auth token url should be of the form
  http://X.Y.Z.A:5000/v3/OS-
  FEDERATION/identity_providers/.*?/protocols/saml2/auth in order for
  the plugin to be usable out of the box.

  Short term fix: modify keystone's doc on federation so that
  administrators always create protocols called 'saml2'. This makes
  sense anyway, since SAML2 is used to authenticate and authorize the
  users.

  Long term fix: allow the protocol name to be an argument when
  instantiating the plugin.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1380779/+subscriptions


References