Signing in via multiple federation protocols leads to sql duplicate entry error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
I am using an OSA All In One instance to look at federation options.
I have set up one idp with two federation protocols, SAML2 (Shib) and OpenId attached to it.
Each protocol has it's own mapping - but in the end they map to the same result, an ephemeral user with an email as the username, with the same permissions.
When I sign in with a user using one protocol for the first time, I am then unable to authenticate using a different protocol due to an SQL Duplicate Entry Error.
Should this be possible?
Is it because I've used two mappings instead of having a combined mapping, or is a user tied to a protocol? - Many questions!
A couple of logs:
keystone.
keystone.
[SQL: INSERT INTO user (id, domain_id, enabled, extra, default_project_id, created_at, last_active_at) VALUES (%(id)s, %(domain_id)s, %(enabled)s, %(extra)s, %(default_
[parameters: {'id': '628c91b90865ab
(Background on this error at: http://
Conflict occurred attempting to store federated_user - Duplicate entry.: keystone.
I'll try to set up a devstack next week and reproduce this.
In the meanwhile, this line at [0] may be the culprit, as it is essentially trying to create a new user for each federated user. Instead of checking if there is one, and then appending the federated user reference to it.
[0] https:/ /github. com/openstack/ keystone/ blob/4d42e48ba2 4ceca0932b5b743 680de5e1155c5f8 /keystone/ identity/ shadow_ backends/ sql.py# L51