keystoneauth

Allow setting EndpointReference in ADFSPassword

Bug #1689424 reported by Blake Covarrubias on 2017-05-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	keystoneauth	Fix Released	Undecided	Blake Covarrubias

Bug Description

The WS-Trust specification states that the WS-PolicyAttachment [1] 'AppliesTo' "...element specifies the scope for which this security token is desired" [2]. Therefore, this value is used by ADFS' Security Token Service (STS) to identity the intended Relying Party Trust. STS correspondingly uses the 'AppliesTo' value as the AudienceRestriction (RPID) in the SAML 1.0 assertion. This may not be desirable if the Service Provider's SAML entity ID differs from the WS-Federation Passive Endpoint (i.e. service provider endpoint) consuming the WS-Trust RequestSecurityTokenResponse.

This commit introduces the ability to specify the EndpointReference used in the RequestSecurityToken message via the 'service-provider-entity-id' option. If omitted, the EndpointReference defaults to the value provided in the 'service-provider-endpoint' option to preserve backward compatibility.

[1] https://www.w3.org/Submission/WS-PolicyAttachment/#ExternalAttachmentDeployedEndpoints
[2] http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064957

See original description

Blake Covarrubias (blakegc) on 2017-05-09

Changed in keystoneauth:
assignee:	nobody → Blake Covarrubias (blakegc)

Blake Covarrubias (blakegc) on 2017-05-09

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-09: Fix proposed to keystoneauth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/463432

Changed in keystoneauth:
status:	New → In Progress

Blake Covarrubias (blakegc) on 2017-05-10

summary:

- Allow custom EndpointReference in ADFSPassword
+ Allow setting EndpointReference in ADFSPassword

Blake Covarrubias (blakegc) on 2017-05-10

description:

updated

OpenStack Infra (hudson-openstack) on 2017-05-16

Changed in keystoneauth:
assignee:	Blake Covarrubias (blakegc) → Samuel de Medeiros Queiroz (samueldmq)

Samuel de Medeiros Queiroz (samueldmq) on 2017-05-16

Changed in keystoneauth:
assignee:	Samuel de Medeiros Queiroz (samueldmq) → Blake Covarrubias (blakegc)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-16: Fix merged to keystoneauth (master)

Reviewed: https://review.openstack.org/463432
Committed: https://git.openstack.org/cgit/openstack/keystoneauth/commit/?id=4ca1a1f0280ef0e02ac1c4df43834d007264ada3
Submitter: Jenkins
Branch: master

commit 4ca1a1f0280ef0e02ac1c4df43834d007264ada3
Author: Blake Covarrubias <email address hidden>
Date: Sat Apr 29 17:54:20 2017 -0700

Allow setting EndpointReference in ADFSPassword

    The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo'
    EndpointReference Address in the WS-Trust RequestSecurityToken message
    to the value specified in the ‘service-provider-endpoint’ option. This
    may not be desirable if the Service Provider's SAML entity ID differs
    from the WS-Federation Passive Endpoint (i.e. service provider endpoint)
    consuming the WS-Trust RequestSecurityTokenResponse.

    This commit introduces the ability to specify the EndpointReference used
    in the RequestSecurityToken message via the 'service-provider-entity-id'
    option. If omitted, the EndpointReference defaults to the value provided
    in the ‘service-provider-endpoint' option to preserve backward
    compatibility.

Change-Id: I842427232db79d628dc29f5a1dcf68e011667dfa
Closes-Bug: #1689424

Changed in keystoneauth:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-08: Fix included in openstack/keystoneauth 2.21.0

This issue was fixed in the openstack/keystoneauth 2.21.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.