So you're saying that remote_id is correct and that we should never have bothered with identity_provider/{id}/protocol/{id}? just have one entry point for protocol and lookup idp from within there?
IdP name is random but what i'm saying is you already provide options when you do WEBSSO_CHOICES in horizon. That this could have easily included a link to the websso address to use for that specific provider for example:
As you provide additional SAML sources you continue to provide the links to their websso specific URLs.
Note: you wouldn't have to use the whole url like that as horizon only needs to know how to talk to keystone so you would just need to provide the idp_id and the protocol
Can you explain how you could provide incorrect assertions to different IDPs? When you setup an IDP in httpd you have to link to a copy of the metadata for that IDP which includes the signature of the IDP that will have signed the assertions. If you provide a different assertion to another IDP then the signature validation will fail.
So you're saying that remote_id is correct and that we should never have bothered with identity_ provider/ {id}/protocol/ {id}? just have one entry point for protocol and lookup idp from within there?
IdP name is random but what i'm saying is you already provide options when you do WEBSSO_CHOICES in horizon. That this could have easily included a link to the websso address to use for that specific provider for example:
WEBSSO_CHOICES = ( /path/to/ keystone/ identity_ provider/ ABCD/protocol/ saml2/websso", /path/to/ keystone/ identity_ provider/ EFGH/protocol/ saml2/websso"
_("Corporate Identity"), "https:/
_("Google"), "https:/
)
As you provide additional SAML sources you continue to provide the links to their websso specific URLs.
Note: you wouldn't have to use the whole url like that as horizon only needs to know how to talk to keystone so you would just need to provide the idp_id and the protocol
Can you explain how you could provide incorrect assertions to different IDPs? When you setup an IDP in httpd you have to link to a copy of the metadata for that IDP which includes the signature of the IDP that will have signed the assertions. If you provide a different assertion to another IDP then the signature validation will fail.