yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1426128

Title:
  Add ECP related bits to saml generation code

Status in OpenStack Identity (Keystone):
  Fix Released

Bug description:
  If an app want to use k2k, then the keystone SP is probably setup to leverage ECP SAML assertions.
  Currently, the SAML assertion that is generated by the IdP keystone does not contain the ECP related bits, such as:

  <soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/";>
      <soap11:Header>
          <ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" 
                          soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";
                          soap11:mustUnderstand="1">
              456e74900b306b5ed54ec9fb23c614f9fa73ece1c97ec004ed
          </ecp:RelayState>
          <samlec:GeneratedKey xmlns:samlec="urn:ietf:params:xml:ns:samlec"  
              soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";>
              yvYbdh49qSJ7LqjFv+rfB8SR7hPWMwQkL0KKOgSkhY
          </samlec:GeneratedKey>
      </soap11:Header>
      <soap11:Body>
          %(response)s
      </soap11:Body>
  </soap11:Envelope>

  we should add these into the saml generator code so that a client can
  simply get a SAML assertion from his token, and pass that assertion
  directly to a remote keystone.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1426128/+subscriptions