Keystone IdP SAML metadata insufficient for websso flow

Bug #1470205 reported by Miguel Grinberg on 2015-06-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Wishlist
Unassigned

Bug Description

The metadata generated by Keystone IdP includes a binding of type URI. From https://github.com/openstack/keystone/blame/8bb63620b4d9ec71b0a60ed705938103d7d3c2c2/keystone/contrib/federation/idp.py#L490:

        def single_sign_on_service():
            idp_sso_endpoint = CONF.saml.idp_sso_endpoint
            return md.SingleSignOnService(
                binding=saml2.BINDING_URI,
                location=idp_sso_endpoint)

Looking at the Shibboleth SessionInitiator code, this is not a valid binding for a default websso configuration. The accepted bindings are defined at https://github.com/craigpg/shibboleth-sp2/blob/f62a7996e195a9c026f3f8cb0e9086594b7f8515/shibsp/handler/impl/SAML2SessionInitiator.cpp#L164-L165:

            // No override, so we'll install a default binding precedence.
            string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
                samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;

Marek Denis (marek-denis) wrote :

Since we don't suppor K2K with websso workflow it's not a bug, but definitely worth having it here so we can track this.

Changed in keystone:
assignee: nobody → Marek Denis (marek-denis)
importance: Undecided → Wishlist
milestone: none → next
Rodrigo Duarte (rodrigodsousa) wrote :

@Marek: ++

This should be tracked if we want to implement fully enabled SAML IdP in Keystone.

Dolph Mathews (dolph) on 2015-07-09
tags: added: federation
Changed in keystone:
status: New → Triaged
Changed in keystone:
milestone: next → none
Steve Martinelli (stevemar) wrote :

unassigning due to inactivity

Changed in keystone:
assignee: Marek Denis (marek-denis) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers