Keystone IdP SAML metadata insufficient for websso flow

Bug #1470205 reported by Miguel Grinberg
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Triaged
Wishlist
Unassigned

Bug Description

The metadata generated by Keystone IdP includes a binding of type URI. From https://github.com/openstack/keystone/blame/8bb63620b4d9ec71b0a60ed705938103d7d3c2c2/keystone/contrib/federation/idp.py#L490:

        def single_sign_on_service():
            idp_sso_endpoint = CONF.saml.idp_sso_endpoint
            return md.SingleSignOnService(
                binding=saml2.BINDING_URI,
                location=idp_sso_endpoint)

Looking at the Shibboleth SessionInitiator code, this is not a valid binding for a default websso configuration. The accepted bindings are defined at https://github.com/craigpg/shibboleth-sp2/blob/f62a7996e195a9c026f3f8cb0e9086594b7f8515/shibsp/handler/impl/SAML2SessionInitiator.cpp#L164-L165:

            // No override, so we'll install a default binding precedence.
            string prec = string(samlconstants::SAML20_BINDING_HTTP_REDIRECT) + ' ' + samlconstants::SAML20_BINDING_HTTP_POST + ' ' +
                samlconstants::SAML20_BINDING_HTTP_POST_SIMPLESIGN + ' ' + samlconstants::SAML20_BINDING_HTTP_ARTIFACT;

Tags: federation
Revision history for this message
Marek Denis (marek-denis) wrote :

Since we don't suppor K2K with websso workflow it's not a bug, but definitely worth having it here so we can track this.

Changed in keystone:
assignee: nobody → Marek Denis (marek-denis)
importance: Undecided → Wishlist
milestone: none → next
Revision history for this message
Rodrigo Duarte (rodrigodsousa) wrote :

@Marek: ++

This should be tracked if we want to implement fully enabled SAML IdP in Keystone.

Dolph Mathews (dolph)
tags: added: federation
Changed in keystone:
status: New → Triaged
Changed in keystone:
milestone: next → none
Revision history for this message
Steve Martinelli (stevemar) wrote :

unassigning due to inactivity

Changed in keystone:
assignee: Marek Denis (marek-denis) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.