OpenStack Identity (keystone)

Keystone IdP SAML metadata insufficient for websso flow

Bug #1470205 reported by Miguel Grinberg on 2015-06-30

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

OpenStack Identity (keystone)

Triaged

Wishlist

Unassigned

You need to log in to change this bug's status.

Affecting:	OpenStack Identity (keystone)
Filed here by:	Miguel Grinberg
When:	2015-06-30
Confirmed:	2015-07-09

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Wishlist

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

The metadata generated by Keystone IdP includes a binding of type URI. From https://github.com/openstack/keystone/blame/8bb63620b4d9ec71b0a60ed705938103d7d3c2c2/keystone/contrib/federation/idp.py#L490:

        def single_sign_on_service():
            idp_sso_endpoint = CONF.saml.idp_sso_endpoint
            return md.SingleSignOnService(
                binding=saml2.BINDING_URI,
                location=idp_sso_endpoint)

Looking at the Shibboleth SessionInitiator code, this is not a valid binding for a default websso configuration. The accepted bindings are defined at https://github.com/craigpg/shibboleth-sp2/blob/f62a7996e195a9c026f3f8cb0e9086594b7f8515/shibsp/handler/impl/SAML2SessionInitiator.cpp#L164-L165:

            // No override, so we'll install a default binding precedence.
            string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
                samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;

Tags: Edit Tag help

Marek Denis (marek-denis) wrote on 2015-06-30:

Since we don't suppor K2K with websso workflow it's not a bug, but definitely worth having it here so we can track this.

Changed in keystone:
assignee:	nobody → Marek Denis (marek-denis)
importance:	Undecided → Wishlist
milestone:	none → next

Rodrigo Duarte (rodrigodsousa) wrote on 2015-06-30:

@Marek: ++

This should be tracked if we want to implement fully enabled SAML IdP in Keystone.

Dolph Mathews (dolph) on 2015-07-09

tags:	added: federation
Changed in keystone:
status:	New → Triaged

Steve Martinelli (stevemar) on 2015-11-30

Changed in keystone:
milestone:	next → none

Steve Martinelli (stevemar) wrote on 2016-08-01:

unassigning due to inactivity

Changed in keystone:
assignee:	Marek Denis (marek-denis) → nobody

Report a bug

This report contains Public information Edit

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers