haproxy cluster can't handle saml2 on CLI
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Base Layer |
New
|
Undecided
|
Unassigned | ||
OpenStack Keystone Charm |
New
|
Undecided
|
Unassigned |
Bug Description
After figuring out that when running keystone on a single instance I can get saml2 to work on the CLI I have found the follow two problems but the first is the easiest to fix.
Haproxy session cookies: saml mellon with haproxy need session cookie to connect back to the same keystone it first made contact with with out this you get double saml2 requests
```
reply: 'HTTP/1.1 200 OK\r\n'
header: Date: Mon, 13 Dec 2021 16:41:45 GMT
header: Server: Apache/2.4.29 (Ubuntu)
header: Cache-Control: private, max-age=0, must-revalidate
header: Content-Length: 3260
header: Keep-Alive: timeout=5, max=100
header: Connection: Keep-Alive
header: Content-Type: application/
https:/
RESP: [200] Cache-Control: private, max-age=0, must-revalidate Connection: Keep-Alive Content-Length: 3260 Content-Type: application/
RESP BODY: Omitted, Content-Type is set to application/
```
The response is in XML and it's a signature response and not JSOn which openstack client is looking for.
to resolve this if I change the haproxy.cfg to the following
```
backend public-
#balance leastconn
balance source
```
the connection has a persistent session not a great work but it proves the problem.
As the SSL/TLS is handled by apache and not via Haproxy I can on ask to look at adding a config option to adjust the balance field in the haproxy template.
This would allow saml2 to work in a cluster setup.
The only other option is to move TLS/SSL from apache to haproxy and have sticky sessions.