No validation between client's IdP and Keystone IdP
Bug #1390124 reported by
Marek Denis
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Marco Fargetta | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Nathan Kinder |
Bug Description
With today's configuration there is no strict link between federated assertion issued by a trusted IdP and a IdP configured inside Keystone. Hence, user has ability to choose a mapping and possibly get unauthorized access.
Proposed solution: setup a IdP identified included in an assertion issued by a IdP and validate whether that both values are equal.
Changed in keystone: | |
assignee: | nobody → Marek Denis (marek-denis) |
description: | updated |
Changed in keystone: | |
milestone: | none → kilo-1 |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | kilo-1 → 2015.1.0 |
To post a comment you must log in.
I've added an incomplete security advisory task and subscribed the Keystone core security reviewers to evaluate this report for validity and determination on whether it needs to be kept embargoed while a fix is under development.