← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #34899

[Bug 1470205] [NEW] Keystone IdP SAML metadata insufficient for websso flow

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The metadata generated by Keystone IdP includes a binding of type URI.
From
https://github.com/openstack/keystone/blame/8bb63620b4d9ec71b0a60ed705938103d7d3c2c2/keystone/contrib/federation/idp.py#L490:

        def single_sign_on_service():
            idp_sso_endpoint = CONF.saml.idp_sso_endpoint
            return md.SingleSignOnService(
                binding=saml2.BINDING_URI,
                location=idp_sso_endpoint)

Looking at the Shibboleth SessionInitiator code, this is not a valid
binding for a default websso configuration. The accepted bindings are
defined at https://github.com/craigpg/shibboleth-
sp2/blob/f62a7996e195a9c026f3f8cb0e9086594b7f8515/shibsp/handler/impl/SAML2SessionInitiator.cpp#L164-L165:

            // No override, so we'll install a default binding precedence.
            string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
                samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;

** Affects: keystone
     Importance: Wishlist
     Assignee: Marek Denis (marek-denis)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1470205

Title:
  Keystone IdP SAML metadata insufficient for websso flow

Status in OpenStack Identity (Keystone):
  New

Bug description:
  The metadata generated by Keystone IdP includes a binding of type URI.
  From
  https://github.com/openstack/keystone/blame/8bb63620b4d9ec71b0a60ed705938103d7d3c2c2/keystone/contrib/federation/idp.py#L490:

          def single_sign_on_service():
              idp_sso_endpoint = CONF.saml.idp_sso_endpoint
              return md.SingleSignOnService(
                  binding=saml2.BINDING_URI,
                  location=idp_sso_endpoint)

  Looking at the Shibboleth SessionInitiator code, this is not a valid
  binding for a default websso configuration. The accepted bindings are
  defined at https://github.com/craigpg/shibboleth-
  sp2/blob/f62a7996e195a9c026f3f8cb0e9086594b7f8515/shibsp/handler/impl/SAML2SessionInitiator.cpp#L164-L165:

              // No override, so we'll install a default binding precedence.
              string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
                  samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1470205/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next