← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1434701] [NEW] websso should compare remote_id_attribute to remote_id of IdP

 

Public bug reported:

When using the websso feature in keystone, the identity provider is
looked up based on the value of the 'remote_id_attribute' environment
variable provided by the SAML assertion (or claim in the case of OpenID
Connect).  Logic would dictate that the 'remote_id_attribute' value is
searched for against the 'remote_id' field in the backend where identity
providers are stored.  This is not the case.   Here is an example from
my test environment:

When hitting http://rdo.rdodom.test:5000/v3/auth/OS-
FEDERATION/websso/saml2?origin=http%3A//rdo.rdodom.test:

  {"error": {"message": "Could not find Identity Provider:
https://ipa.rdodom.test/idp/saml2/metadata";, "code": 404, "title": "Not
Found"}}

This message contains the value of my 'remote_id_attribute' from the
assertion.  This value is 'https://ipa.rdodom.test/idp/saml2/metadata'.
The identity provider looks like this:

[root@rdo ~(keystone_v3_admin)]$ openstack identity provider show ipsilon
+-------------+--------------------------------------------+
| Field       | Value                                      |
+-------------+--------------------------------------------+
| description | None                                       |
| enabled     | True                                       |
| id          | ipsilon                                    |
| remote_id   | https://ipa.rdodom.test/idp/saml2/metadata |
+-------------+--------------------------------------------+

You can see that the remote_id matches the value that my assertion
contains.

My keystone.conf has this:

  remote_id_attribute = MELLON_IDP
  trusted_dashboard = http://rdo.rdodom.test

Keystone is currently looking up the identity provider by trying to
match the value from the 'remote_id_attribute' to the 'id' field of the
identity provider in keystone.  This seems wrong.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1434701

Title:
  websso should compare remote_id_attribute to remote_id of IdP

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When using the websso feature in keystone, the identity provider is
  looked up based on the value of the 'remote_id_attribute' environment
  variable provided by the SAML assertion (or claim in the case of
  OpenID Connect).  Logic would dictate that the 'remote_id_attribute'
  value is searched for against the 'remote_id' field in the backend
  where identity providers are stored.  This is not the case.   Here is
  an example from my test environment:

  When hitting http://rdo.rdodom.test:5000/v3/auth/OS-
  FEDERATION/websso/saml2?origin=http%3A//rdo.rdodom.test:

    {"error": {"message": "Could not find Identity Provider:
  https://ipa.rdodom.test/idp/saml2/metadata";, "code": 404, "title":
  "Not Found"}}

  This message contains the value of my 'remote_id_attribute' from the
  assertion.  This value is
  'https://ipa.rdodom.test/idp/saml2/metadata'.  The identity provider
  looks like this:

  [root@rdo ~(keystone_v3_admin)]$ openstack identity provider show ipsilon
  +-------------+--------------------------------------------+
  | Field       | Value                                      |
  +-------------+--------------------------------------------+
  | description | None                                       |
  | enabled     | True                                       |
  | id          | ipsilon                                    |
  | remote_id   | https://ipa.rdodom.test/idp/saml2/metadata |
  +-------------+--------------------------------------------+

  You can see that the remote_id matches the value that my assertion
  contains.

  My keystone.conf has this:

    remote_id_attribute = MELLON_IDP
    trusted_dashboard = http://rdo.rdodom.test

  Keystone is currently looking up the identity provider by trying to
  match the value from the 'remote_id_attribute' to the 'id' field of
  the identity provider in keystone.  This seems wrong.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1434701/+subscriptions


Follow ups

References