OpenStack Identity (keystone)

WebSSO username shows as a UUID in the Horizon page

Bug #1597101 reported by Roxana Gherle
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Roxana Gherle
OpenStack Identity (keystone) newton-3 "n3"

Bug Description

When you login into Horizon using Web Single Sign On with saml2 or oidc federation protocols, the logged in user shows as a UUID (the user's ID) in the Horizon page. This was different before when the specific username from the external identity provider was showed by the Horizon dashboard.
This happens because both the unscoped and scoped federated tokens have both the user.id and user.name the ID of the user. The actual username does not show in the federated token.

This change in the behavior seems to have happened after introducing shadow users functionality, because the token was containg the username for both user.id and user.name in the pre-mitaka releases but now that changed to both containing the UUID.

Roxana Gherle (roxana-gherle)
Changed in keystone:
assignee: nobody → Roxana Gherle (roxana-gherle)
Revision history for this message
Boris Bobrov (bbobrov) wrote :

I see this issue too.

Changed in keystone:
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/335617

Changed in keystone:
status: Confirmed → In Progress
Lance Bragstad (lbragstad)
tags: added: federation
Steve Martinelli (stevemar)
Changed in keystone:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/335617
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=2042c955c81929deb47bc8cc77082b085faaa47d
Submitter: Jenkins
Branch: master

commit 2042c955c81929deb47bc8cc77082b085faaa47d
Author: Roxana Gherle <email address hidden>
Date: Wed Jun 29 11:21:13 2016 -0700

    Fix the username value in federated tokens

    Currently, in both unscoped and scoped federated tokens, the
    username value in the token is equal to the userid and not to
    the value of the username in the external identity provider.
    This makes WebSSO login to show the userid of the logged-in
    user in the Horizon dashboard, whereas before it was showing
    the actual user name.

    This patch fixes the value of the username in the federated
    tokens, which will fix the WebSSO issue as well, since Horizon
    looks at the username value and displays that as the logged-in user.

    Closes-Bug: #1597101
    Closes-Bug: #1482701
    Change-Id: I33a0274641c4e6bc4e127f5206ba9bc7dbd8e5a8

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/343820

Steve Martinelli (stevemar)
Changed in keystone:
milestone: none → newton-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/mitaka)

Reviewed: https://review.openstack.org/343820
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=176cbf2551a4aee2d544190df363fba44502bd0c
Submitter: Jenkins
Branch: stable/mitaka

commit 176cbf2551a4aee2d544190df363fba44502bd0c
Author: Roxana Gherle <email address hidden>
Date: Wed Jun 29 11:21:13 2016 -0700

    Fix the username value in federated tokens

    Currently, in both unscoped and scoped federated tokens, the
    username value in the token is equal to the userid and not to
    the value of the username in the external identity provider.
    This makes WebSSO login to show the userid of the logged-in
    user in the Horizon dashboard, whereas before it was showing
    the actual user name.

    This patch fixes the value of the username in the federated
    tokens, which will fix the WebSSO issue as well, since Horizon
    looks at the username value and displays that as the logged-in user.

    Closes-Bug: #1597101
    Closes-Bug: #1482701
    Change-Id: I33a0274641c4e6bc4e127f5206ba9bc7dbd8e5a8
    (cherry picked from commit 2042c955c81929deb47bc8cc77082b085faaa47d)

tags: added: in-stable-mitaka
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/keystone 10.0.0.0b3

This issue was fixed in the openstack/keystone 10.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 9.2.0

This issue was fixed in the openstack/keystone 9.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.