OpenStack Identity (keystone)

unable to generate saml assertion

Bug #1428251 reported by Steve Martinelli on 2015-03-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Steve Martinelli	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

root@sl-kilo-idp:~# curl -i -k \
> -H "Content-Type: application/json" \
> -d '
> {
> "auth": {
> "identity": {
> "methods": [
> "token"
> ],
> "token": {
> "id": "94e2a49d18604a88a5c157bda0e5ac5f"
> }
> },
> "scope": {
> "service_provider": {
> "id": "keystone-sp"
> }
> }
> }
> }' \
> https://keystone.idp/keystone/main/v3/auth/OS-FEDERATION/saml2

HTTP/1.1 500 Internal Server Error
Date: Wed, 04 Mar 2015 12:31:32 GMT
Server: Apache/2.2.22 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 618
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator,
webmaster@localhost and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.</p>
<p>More information about this error may be available
in the server error log.</p>
<hr>
<address>Apache/2.2.22 (Ubuntu) Server at keystone.idp Port 443</address>
</body></html>

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-03-04:

upon inspecting the function, the actual SAML response is fine at the controller level: https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L338-L339

seems to be a bug in wsgi.py, probably around here:
https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L738-L782

Steve Martinelli (stevemar) on 2015-03-04

Changed in keystone:
importance:	Undecided → High
status:	New → Confirmed
milestone:	none → kilo-3

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-03-04:

Forgot to add these lines:

[Wed Mar 04 06:31:32 2015] [error] [client 169.53.167.228] mod_wsgi (pid=25349): Exception occurred processing WSGI script '/usr/lib/cgi-bin/keystone/main'.
[Wed Mar 04 06:31:32 2015] [error] [client 169.53.167.228] TypeError: expected byte string object for header value, value of type unicode found

Revision history for this message

David Stanek (dstanek) wrote on 2015-03-04:

This is the result of the federated code setting headers that are text instead of bytes.

Steve Martinelli (stevemar) on 2015-03-05

Changed in keystone:
assignee:	nobody → Steve Martinelli (stevemar)
status:	Confirmed → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.