yahoo-eng-team team mailing list archive

[Colleen Murphy <colleen@xxxxxxxxxxx>]

Unfortunately the "local" type within the "local" section is not a
matching rule. Only the keys in the "remote" section are matched, then
they are mapped to attributes in the "local" section. If the user
doesn't exist already in keystone, but still matches the remote rule
'"type": "HTTP_GROUPS","any_one_of": [ "consumers" ]', it will be mapped
to the first case, and then expect there to already be a local user. The
matching can only be done based on remote attributes, not on local
attributes.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1823847

Title:
  Multiple rules in a mapping is not working with type: "local"
  attribute

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  We have a requirement in which we want to setup an external Identity provider with keystone federation for SSO.
  I have added two rules in a mapping which will match to below criteria and added this mapping to OS_FEDERATION identity provider.
  Rule 1. If user already exists in keystone, it should not create a new ephemeral user.
  Rule 2. If user is not found in keystone, it should create a new user in SSO federated domain.

  Problem:
  If user is not present already, it should match second rule and new user should be created. But its throwing Unauthorized Error.
  I think, with type:"local" specified, it will throw Unauthorized error even if there are multiple rules for a given mapping.
  With multiple rules specified, it should try to match the a rule in an order which is not working as expected

  Have attached mapping object for reference.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1823847/+subscriptions