← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #31174

[Bug 1434701] Re: websso should compare remote_id_attribute to remote_id of IdP

  Thread PreviousDate PreviousThread Next 
** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1434701

Title:
  websso should compare remote_id_attribute to remote_id of IdP

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  When using the websso feature in keystone, the identity provider is
  looked up based on the value of the 'remote_id_attribute' environment
  variable provided by the SAML assertion (or claim in the case of
  OpenID Connect).  Logic would dictate that the 'remote_id_attribute'
  value is searched for against the 'remote_id' field in the backend
  where identity providers are stored.  This is not the case.   Here is
  an example from my test environment:

  When hitting http://rdo.rdodom.test:5000/v3/auth/OS-
  FEDERATION/websso/saml2?origin=http%3A//rdo.rdodom.test:

    {"error": {"message": "Could not find Identity Provider:
  https://ipa.rdodom.test/idp/saml2/metadata";, "code": 404, "title":
  "Not Found"}}

  This message contains the value of my 'remote_id_attribute' from the
  assertion.  This value is
  'https://ipa.rdodom.test/idp/saml2/metadata'.  The identity provider
  looks like this:

  [root@rdo ~(keystone_v3_admin)]$ openstack identity provider show ipsilon
  +-------------+--------------------------------------------+
  | Field       | Value                                      |
  +-------------+--------------------------------------------+
  | description | None                                       |
  | enabled     | True                                       |
  | id          | ipsilon                                    |
  | remote_id   | https://ipa.rdodom.test/idp/saml2/metadata |
  +-------------+--------------------------------------------+

  You can see that the remote_id matches the value that my assertion
  contains.

  My keystone.conf has this:

    remote_id_attribute = MELLON_IDP
    trusted_dashboard = http://rdo.rdodom.test

  Keystone is currently looking up the identity provider by trying to
  match the value from the 'remote_id_attribute' to the 'id' field of
  the identity provider in keystone.  This seems wrong.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1434701/+subscriptions

References

  Thread PreviousDate PreviousThread Next