Comment 4 for bug 1472060

So you're saying that remote_id is correct and that we should never have bothered with identity_provider/{id}/protocol/{id}? just have one entry point for protocol and lookup idp from within there?

IdP name is random but what i'm saying is you already provide options when you do WEBSSO_CHOICES in horizon. That this could have easily included a link to the websso address to use for that specific provider for example:

WEBSSO_CHOICES = (
    _("Corporate Identity"), "https://path/to/keystone/identity_provider/ABCD/protocol/saml2/websso",
    _("Google"), "https://path/to/keystone/identity_provider/EFGH/protocol/saml2/websso"
)

As you provide additional SAML sources you continue to provide the links to their websso specific URLs.

Note: you wouldn't have to use the whole url like that as horizon only needs to know how to talk to keystone so you would just need to provide the idp_id and the protocol

Can you explain how you could provide incorrect assertions to different IDPs? When you setup an IDP in httpd you have to link to a copy of the metadata for that IDP which includes the signature of the IDP that will have signed the assertions. If you provide a different assertion to another IDP then the signature validation will fail.