Keystone IdP SAML metadata insufficient for websso flow

Bug #1470205 reported by Miguel Grinberg on 2015-06-30
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)

Bug Description

The metadata generated by Keystone IdP includes a binding of type URI. From

        def single_sign_on_service():
            idp_sso_endpoint = CONF.saml.idp_sso_endpoint
            return md.SingleSignOnService(

Looking at the Shibboleth SessionInitiator code, this is not a valid binding for a default websso configuration. The accepted bindings are defined at

            // No override, so we'll install a default binding precedence.
            string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
                samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;

Marek Denis (marek-denis) wrote :

Since we don't suppor K2K with websso workflow it's not a bug, but definitely worth having it here so we can track this.

Changed in keystone:
assignee: nobody → Marek Denis (marek-denis)
importance: Undecided → Wishlist
milestone: none → next
Rodrigo Duarte (rodrigodsousa) wrote :

@Marek: ++

This should be tracked if we want to implement fully enabled SAML IdP in Keystone.

Dolph Mathews (dolph) on 2015-07-09
tags: added: federation
Changed in keystone:
status: New → Triaged
Changed in keystone:
milestone: next → none
Steve Martinelli (stevemar) wrote :

unassigning due to inactivity

Changed in keystone:
assignee: Marek Denis (marek-denis) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers