yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #25584
[Bug 1402916] [NEW] unable to validate signature from a keystone issued SAML assertion
Public bug reported:
In the keystone 2 keystone federation workflow, a keystone acting as an
SP should be able to validate the signature of a SAML assertion from a
keystone acting as an IdP.
The current work around is to use the NullSecurity rule in the Security
Policy file from Shibboleth (this file is usually located at
/etc/shibboleth/security-policy.xml):
<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">
<Policy id="default" validate="false">
<PolicyRule type="NullSecurity"/>
</Policy>
</SecurityPolicies>
For what it's worth, it seems that mod_shib performs two other checks in
a pipeline fashion, the others being "ExplicitKey" and "PKIX" checks
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1402916
Title:
unable to validate signature from a keystone issued SAML assertion
Status in OpenStack Identity (Keystone):
New
Bug description:
In the keystone 2 keystone federation workflow, a keystone acting as
an SP should be able to validate the signature of a SAML assertion
from a keystone acting as an IdP.
The current work around is to use the NullSecurity rule in the
Security Policy file from Shibboleth (this file is usually located at
/etc/shibboleth/security-policy.xml):
<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">
<Policy id="default" validate="false">
<PolicyRule type="NullSecurity"/>
</Policy>
</SecurityPolicies>
For what it's worth, it seems that mod_shib performs two other checks
in a pipeline fashion, the others being "ExplicitKey" and "PKIX"
checks
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1402916/+subscriptions
Follow ups
References