← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #28846

[Bug 1426128] [NEW] Add ECP related bits to saml generation code

  Thread PreviousDate PreviousThread Next 
Public bug reported:

If an app want to use k2k, then the keystone SP is probably setup to leverage ECP SAML assertions.
Currently, the SAML assertion that is generated by the IdP keystone does not contain the ECP related bits, such as:

"""<soap11:Envelope
        xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/";><soap11:Header><ecp:Relay
State  
        xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
        soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";
        soap11:mustUnderstand="1">ss:mem:f88cd8ad5aeee3456e74900b306b5ed54ec9fb23c614f9fa7
3ece1c97ec004ed</ecp:RelayState><samlec:GeneratedKey  
        xmlns:samlec="urn:ietf:params:xml:ns:samlec"
        soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";>yvYbdh49qSJ7LqjFv+rfB8SR
97hPWMwQkL0KKOgSkhY=</samlec:GeneratedKey></soap11:Header>  
        <soap11:Body>%(response)s</soap11:Body></soap11:Envelope>"""

we should add these into the saml generator code so that a client can
simply get a SAML assertion from his token, and pass that assertion
directly to a remote keystone.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1426128

Title:
  Add ECP related bits to saml generation code

Status in OpenStack Identity (Keystone):
  New

Bug description:
  If an app want to use k2k, then the keystone SP is probably setup to leverage ECP SAML assertions.
  Currently, the SAML assertion that is generated by the IdP keystone does not contain the ECP related bits, such as:

  """<soap11:Envelope
          xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/";><soap11:Header><ecp:Relay
  State  
          xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
          soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";
          soap11:mustUnderstand="1">ss:mem:f88cd8ad5aeee3456e74900b306b5ed54ec9fb23c614f9fa7
  3ece1c97ec004ed</ecp:RelayState><samlec:GeneratedKey  
          xmlns:samlec="urn:ietf:params:xml:ns:samlec"
          soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";>yvYbdh49qSJ7LqjFv+rfB8SR
  97hPWMwQkL0KKOgSkhY=</samlec:GeneratedKey></soap11:Header>  
          <soap11:Body>%(response)s</soap11:Body></soap11:Envelope>"""

  we should add these into the saml generator code so that a client can
  simply get a SAML assertion from his token, and pass that assertion
  directly to a remote keystone.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1426128/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next