Scoped OS-FEDERATION token not working
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
Kilo |
Won't Fix
|
Medium
|
Steve Martinelli |
Bug Description
I have implemented Keystone Federation scenario with Kilo against a non-Keystone IdP.
Following the flow described at https:/
When I then request a scoped token out of the unscoped token I get a token which differs from the documentation:
docs says that user will have groups:
"user": {
"domain": {
"id": "Federated"
},
"id": "username%
"name": "<email address hidden>",
"OS-
"protocol": "SAML",
"groups": [
{"id": "abc123"},
{"id": "bcd234"}
]
}
}
while in my implementation I get user with no groups (in contrast my unscoped token has the groups in user) :
"user": {
"domain": {
"id": "Federated",
"name": "Federated"
},
"id": "myUser",
"name": "myUser"
"OS-FEDERATION": {
"
"id": "myIdP"
},
"protocol": {"id": "saml2"}
}
}
If I try to use the scoped token I get the error message:
# openstack --os-token 3e68789050944e9
ERROR: openstack Unable to find valid groups while using mapping saml_mapping (Disable debug mode to suppress these details.) (HTTP 401) (Request-ID: req-eb23e61c-
And this is no surprise if we debug the code for token creation and see that **_handle_
if project_id or domain_id:
roles = self.v3_
group_ids, project_id, domain_id, user_id)
token_
else:
token_
'groups': [{'id': x} for x in group_ids]
})
return token_data
So, the only way to get our groups added to the scoped token is to NOT use domain or project scoping, but if we do not scope the token for domain or project then we will simply get yet another unscoped token ;).
What am I missing? How am I supposed to create a scoped token which works?
Thanks in advance!
Changed in keystone: | |
milestone: | none → mitaka-3 |
Changed in keystone: | |
status: | In Progress → Invalid |
Hi Bogdan,
Would you be able to provide any more information about the saml_mapping? How was it created?