yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #30310
[Bug 1434701] [NEW] websso should compare remote_id_attribute to remote_id of IdP
Public bug reported:
When using the websso feature in keystone, the identity provider is
looked up based on the value of the 'remote_id_attribute' environment
variable provided by the SAML assertion (or claim in the case of OpenID
Connect). Logic would dictate that the 'remote_id_attribute' value is
searched for against the 'remote_id' field in the backend where identity
providers are stored. This is not the case. Here is an example from
my test environment:
When hitting http://rdo.rdodom.test:5000/v3/auth/OS-
FEDERATION/websso/saml2?origin=http%3A//rdo.rdodom.test:
{"error": {"message": "Could not find Identity Provider:
https://ipa.rdodom.test/idp/saml2/metadata";, "code": 404, "title": "Not
Found"}}
This message contains the value of my 'remote_id_attribute' from the
assertion. This value is 'https://ipa.rdodom.test/idp/saml2/metadata'.
The identity provider looks like this:
[root@rdo ~(keystone_v3_admin)]$ openstack identity provider show ipsilon
+-------------+--------------------------------------------+
| Field | Value |
+-------------+--------------------------------------------+
| description | None |
| enabled | True |
| id | ipsilon |
| remote_id | https://ipa.rdodom.test/idp/saml2/metadata |
+-------------+--------------------------------------------+
You can see that the remote_id matches the value that my assertion
contains.
My keystone.conf has this:
remote_id_attribute = MELLON_IDP
trusted_dashboard = http://rdo.rdodom.test
Keystone is currently looking up the identity provider by trying to
match the value from the 'remote_id_attribute' to the 'id' field of the
identity provider in keystone. This seems wrong.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1434701
Title:
websso should compare remote_id_attribute to remote_id of IdP
Status in OpenStack Identity (Keystone):
New
Bug description:
When using the websso feature in keystone, the identity provider is
looked up based on the value of the 'remote_id_attribute' environment
variable provided by the SAML assertion (or claim in the case of
OpenID Connect). Logic would dictate that the 'remote_id_attribute'
value is searched for against the 'remote_id' field in the backend
where identity providers are stored. This is not the case. Here is
an example from my test environment:
When hitting http://rdo.rdodom.test:5000/v3/auth/OS-
FEDERATION/websso/saml2?origin=http%3A//rdo.rdodom.test:
{"error": {"message": "Could not find Identity Provider:
https://ipa.rdodom.test/idp/saml2/metadata";, "code": 404, "title":
"Not Found"}}
This message contains the value of my 'remote_id_attribute' from the
assertion. This value is
'https://ipa.rdodom.test/idp/saml2/metadata'. The identity provider
looks like this:
[root@rdo ~(keystone_v3_admin)]$ openstack identity provider show ipsilon
+-------------+--------------------------------------------+
| Field | Value |
+-------------+--------------------------------------------+
| description | None |
| enabled | True |
| id | ipsilon |
| remote_id | https://ipa.rdodom.test/idp/saml2/metadata |
+-------------+--------------------------------------------+
You can see that the remote_id matches the value that my assertion
contains.
My keystone.conf has this:
remote_id_attribute = MELLON_IDP
trusted_dashboard = http://rdo.rdodom.test
Keystone is currently looking up the identity provider by trying to
match the value from the 'remote_id_attribute' to the 'id' field of
the identity provider in keystone. This seems wrong.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1434701/+subscriptions
Follow ups
References
