yahoo-eng-team team mailing list archive

[Steve Martinelli <stevemar@xxxxxxxxxx>]

Public bug reported:

In the keystone 2 keystone federation workflow, a keystone acting as an
SP should be able to validate the signature of a SAML assertion from a
keystone acting as an IdP.

The current work around is to use the NullSecurity  rule in the Security
Policy file from Shibboleth (this file is usually located at
/etc/shibboleth/security-policy.xml):

  <SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">  
      <Policy id="default" validate="false">
          <PolicyRule type="NullSecurity"/>
      </Policy>
  </SecurityPolicies>  

For what it's worth, it seems that mod_shib performs two other checks in
a pipeline fashion, the others being "ExplicitKey" and "PKIX" checks

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1402916

Title:
  unable to validate signature from a keystone issued SAML assertion

Status in OpenStack Identity (Keystone):
  New

Bug description:
  In the keystone 2 keystone federation workflow, a keystone acting as
  an SP should be able to validate the signature of a SAML assertion
  from a keystone acting as an IdP.

  The current work around is to use the NullSecurity  rule in the
  Security Policy file from Shibboleth (this file is usually located at
  /etc/shibboleth/security-policy.xml):

    <SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">  
        <Policy id="default" validate="false">
            <PolicyRule type="NullSecurity"/>
        </Policy>
    </SecurityPolicies>  

  For what it's worth, it seems that mod_shib performs two other checks
  in a pipeline fashion, the others being "ExplicitKey" and "PKIX"
  checks

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1402916/+subscriptions