← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #24501

[Bug 1392685] [NEW] With OS-Federation users can get the wrong mapping

  Thread PreviousDate PreviousThread Next 
Public bug reported:

In case multiple saml IdPs are configured with OS-Federation, following
the configuration proposed in the documentation
("http://docs.openstack.org/security-guide/content/identity.html";), the
mapping are not strictly associated to the IdP.

As an example, considering the system has two IdPs, named IdP-A and IdP-B, with the mapping MAP-A and MAP-B respectively. If a user from IdP-A accesses the URL "/v3/OS-FEDERATION/identity_providers/IdP-B/protocols/saml2/auth" get the map for the users of IdP-B, the only condition is that the IdPs shuld return similar attributes but this is quite common for universities.
The problem is that there are not constrains between the mapping URL and the corresponding IdP so users can get mapped differently according to the url they access.

A quick solution is to modify the configuration so the URL can be
accessed only by one IdP. A better solution would require the inclusion
of an id to verify the IdP used for the authentication.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1392685

Title:
  With OS-Federation users can get the wrong mapping

Status in OpenStack Identity (Keystone):
  New

Bug description:
  In case multiple saml IdPs are configured with OS-Federation,
  following the configuration proposed in the documentation
  ("http://docs.openstack.org/security-guide/content/identity.html";),
  the mapping are not strictly associated to the IdP.

  As an example, considering the system has two IdPs, named IdP-A and IdP-B, with the mapping MAP-A and MAP-B respectively. If a user from IdP-A accesses the URL "/v3/OS-FEDERATION/identity_providers/IdP-B/protocols/saml2/auth" get the map for the users of IdP-B, the only condition is that the IdPs shuld return similar attributes but this is quite common for universities.
  The problem is that there are not constrains between the mapping URL and the corresponding IdP so users can get mapped differently according to the url they access.

  A quick solution is to modify the configuration so the URL can be
  accessed only by one IdP. A better solution would require the
  inclusion of an id to verify the IdP used for the authentication.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1392685/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next