Mapping openstack_user attribute in k2k assertions with different domains

Bug #1442787 reported by Rodrigo Duarte on 2015-04-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Rodrigo Duarte
Kilo
Undecided
Unassigned

Bug Description

We can have two users with the same username in different domains. So if we have a "User A" in "Domain X" and a "User A" in "Domain Y", there is no way to differ what "User A" is being used in a SAML assertion generated by this IdP (we have only the openstack_user attribute in the SAML assertion).

Fix proposed to branch: master
Review: https://review.openstack.org/172562

Changed in keystone:
assignee: nobody → Rodrigo Duarte (rodrigodsousa)
status: New → In Progress
Dolph Mathews (dolph) wrote :

Marking this as Wishlist since it's essentially proposing to add a new attribute to a public API, but it also looks like a rather important design oversight. Can this be addressed on the mapping side, somehow, without introducing a new attribute at all?

Changed in keystone:
importance: Undecided → Wishlist
Rodrigo Duarte (rodrigodsousa) wrote :

Don't think so... We need this attribute in order to differ the user passed in the assertion, using only the mapping rules there is no way to perform such differentiation.

Guang Yee (guang-yee) wrote :

If we can't guarantee username is unique for a given IdP, that means audit trail and non-repudiation is likely broken as well. Though at the SP side, an IdP is effectively map into a domain as domain own the user group.

A good side-effect from the above change would give us the ability to setup a single mapping for multiple domains. :)

information type: Public → Public Security
Jeremy Stanley (fungi) wrote :

Rodrigo: What was the reason for switching this bug to a security vulnerability? If you simply want to indicate that it has security implications but is not thought to be an exploitable condition, then it should remain a normal public bug and instead you can add a "security" tag.

Rodrigo Duarte (rodrigodsousa) wrote :

Ok, thanks for clarifying the difference! Will add the security tag.

information type: Public Security → Public
tags: added: security
Rodrigo Duarte (rodrigodsousa) wrote :

created a spec for this new attributes: https://review.openstack.org/#/c/174462/

Changed in keystone:
assignee: Rodrigo Duarte (rodrigodsousa) → Marek Denis (marek-denis)
Brant Knudson (blk-u) on 2015-04-30
tags: added: kilo-backport-potential
Changed in keystone:
assignee: Marek Denis (marek-denis) → Rodrigo Duarte (rodrigodsousa)

Reviewed: https://review.openstack.org/172562
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=ae2d7075ff58e426e324e2eac57c852ffd4bc804
Submitter: Jenkins
Branch: master

commit ae2d7075ff58e426e324e2eac57c852ffd4bc804
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Fri Apr 10 17:27:12 2015 -0300

    Add openstack_user_domain to assertion

    Currently, a keystone IdP does not provide the domain of the user
    when generating SAML assertions. Since it is possible to have two
    users with the same username but in different domains, this patch
    adds an additional attribute called "openstack_user_domain"
    in the assertion to identify the domain of the user.

    Closes-Bug: 1442787
    bp assertion-extra-attributes

    Change-Id: I65d5c02c0a21f4d4c1b54f8aa56e27950d20badd

Changed in keystone:
status: In Progress → Fix Committed
Changed in keystone:
milestone: none → liberty-1
status: Fix Committed → Fix Released

Reviewed: https://review.openstack.org/181007
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e9aa2673928c265f6592334e737c2bbafeb0026b
Submitter: Jenkins
Branch: stable/kilo

commit e9aa2673928c265f6592334e737c2bbafeb0026b
Author: Rodrigo Duarte Sousa <email address hidden>
Date: Fri Apr 10 17:27:12 2015 -0300

    Add openstack_user_domain to assertion

    Currently, a keystone IdP does not provide the domain of the user
    when generating SAML assertions. Since it is possible to have two
    users with the same username but in different domains, this patch
    adds an additional attribute called "openstack_user_domain"
    in the assertion to identify the domain of the user.

    Closes-Bug: 1442787
    bp assertion-extra-attributes

    Change-Id: I65d5c02c0a21f4d4c1b54f8aa56e27950d20badd
    (cherry picked from commit ae2d7075ff58e426e324e2eac57c852ffd4bc804)

tags: added: in-stable-kilo
Thierry Carrez (ttx) on 2015-10-15
Changed in keystone:
milestone: liberty-1 → 8.0.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers