2017-05-09 01:40:46 |
Blake Covarrubias |
bug |
|
|
added bug |
2017-05-09 01:41:03 |
Blake Covarrubias |
keystoneauth: assignee |
|
Blake Covarrubias (blakegc) |
|
2017-05-09 01:53:01 |
Blake Covarrubias |
description |
Allow custom EndpointReference in ADFSPassword
The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo' EndpointReference Address in the WS-Trust RequestSecurityToken message to the value 'self.service_provider_endpoint'.
The WS-Trust specification states that the WS-PolicyAttachment [2] 'AppliesTo' "...element specifies the scope for which this security token is desired" [1]. Therefore, this value is used by ADFS' Security Token Service (STS) to identity the intended Relying Party Trust. STS correspondingly uses the 'AppliesTo' value as the AudienceRestriction (RPID) in the SAML 1.0 assertion. This may not be be desirable if the WS-Federation Passive Endpoint (i.e. service provider endpoint) consuming the WS-Trust RequestSecurityTokenResponse differs from the Service
Provider's SAML entity ID.
This commit introduces the ability to modify the EndpointReference in the RequestSecurityToken message via the 'service_provider_entity_id' variable. If omitted, the value defaults to 'service_provider_endpoint' to preserve backward compatibility.
[1] http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064957
[2] https://www.w3.org/Submission/WS-PolicyAttachment/#ExternalAttachmentDeployedEndpoints |
Allow custom EndpointReference in ADFSPassword
The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo' EndpointReference Address in the WS-Trust RequestSecurityToken message to the value 'self.service_provider_endpoint'.
The WS-Trust specification states that the WS-PolicyAttachment [1] 'AppliesTo' "...element specifies the scope for which this security token is desired" [2]. Therefore, this value is used by ADFS' Security Token Service (STS) to identity the intended Relying Party Trust. STS correspondingly uses the 'AppliesTo' value as the AudienceRestriction (RPID) in the SAML 1.0 assertion. This may not be desirable if the WS-Federation Passive Endpoint (i.e. service provider endpoint) consuming the WS-Trust RequestSecurityTokenResponse differs from the Service
Provider's SAML entity ID.
This commit introduces the ability to modify the EndpointReference in the RequestSecurityToken message via the 'service_provider_entity_id' variable. If omitted, the value defaults to 'service_provider_endpoint' to preserve backward compatibility.
[1] https://www.w3.org/Submission/WS-PolicyAttachment/#ExternalAttachmentDeployedEndpoints
[2] http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064957 |
|
2017-05-09 01:54:55 |
OpenStack Infra |
keystoneauth: status |
New |
In Progress |
|
2017-05-10 01:22:12 |
Blake Covarrubias |
summary |
Allow custom EndpointReference in ADFSPassword |
Allow setting EndpointReference in ADFSPassword |
|
2017-05-10 01:31:07 |
Blake Covarrubias |
description |
Allow custom EndpointReference in ADFSPassword
The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo' EndpointReference Address in the WS-Trust RequestSecurityToken message to the value 'self.service_provider_endpoint'.
The WS-Trust specification states that the WS-PolicyAttachment [1] 'AppliesTo' "...element specifies the scope for which this security token is desired" [2]. Therefore, this value is used by ADFS' Security Token Service (STS) to identity the intended Relying Party Trust. STS correspondingly uses the 'AppliesTo' value as the AudienceRestriction (RPID) in the SAML 1.0 assertion. This may not be desirable if the WS-Federation Passive Endpoint (i.e. service provider endpoint) consuming the WS-Trust RequestSecurityTokenResponse differs from the Service
Provider's SAML entity ID.
This commit introduces the ability to modify the EndpointReference in the RequestSecurityToken message via the 'service_provider_entity_id' variable. If omitted, the value defaults to 'service_provider_endpoint' to preserve backward compatibility.
[1] https://www.w3.org/Submission/WS-PolicyAttachment/#ExternalAttachmentDeployedEndpoints
[2] http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064957 |
Allow setting EndpointReference in ADFSPassword
The ADFSPassword plugin currently sets the WS-Policy 'AppliesTo' EndpointReference Address in the WS-Trust RequestSecurityToken message to the value specified in the ‘service-provider-endpoint’ option.
The WS-Trust specification states that the WS-PolicyAttachment [1] 'AppliesTo' "...element specifies the scope for which this security token is desired" [2]. Therefore, this value is used by ADFS' Security Token Service (STS) to identity the intended Relying Party Trust. STS correspondingly uses the 'AppliesTo' value as the AudienceRestriction (RPID) in the SAML 1.0 assertion. This may not be desirable if the Service Provider's SAML entity ID differs from the WS-Federation Passive Endpoint (i.e. service provider endpoint) consuming the WS-Trust RequestSecurityTokenResponse.
This commit introduces the ability to specify the EndpointReference used in the RequestSecurityToken message via the 'service-provider-entity-id' option. If omitted, the EndpointReference defaults to the value provided in the 'service-provider-endpoint' option to preserve backward compatibility.
[1] https://www.w3.org/Submission/WS-PolicyAttachment/#ExternalAttachmentDeployedEndpoints
[2] http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html#_Toc162064957 |
|
2017-05-16 17:21:53 |
OpenStack Infra |
keystoneauth: assignee |
Blake Covarrubias (blakegc) |
Samuel de Medeiros Queiroz (samueldmq) |
|
2017-05-16 17:24:34 |
Samuel de Medeiros Queiroz |
keystoneauth: assignee |
Samuel de Medeiros Queiroz (samueldmq) |
Blake Covarrubias (blakegc) |
|
2017-05-16 20:14:42 |
OpenStack Infra |
keystoneauth: status |
In Progress |
Fix Released |
|