python-keystoneclient

SAML protocol must always be called 'saml2'

Bug #1380779 reported by Matthieu Huin on 2014-10-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Unassigned
	python-keystoneclient	Fix Released	Wishlist	Unassigned

Bug Description

In the v3unscopedsaml plugin in python-keystoneclient, the token url is built with "saml2" as the default protocol value. However, this value is a class property and isn't meant to be set at plugin instantiation : https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/contrib/auth/v3/saml2.py#L28

Therefore every auth token url should be of the form http://X.Y.Z.A:5000/v3/OS-FEDERATION/identity_providers/.*?/protocols/saml2/auth in order for the plugin to be usable out of the box.

Short term fix: modify keystone's doc on federation so that administrators always create protocols called 'saml2'. This makes sense anyway, since SAML2 is used to authenticate and authorize the users.

Long term fix: allow the protocol name to be an argument when instantiating the plugin.

Tags:

Matthieu Huin (mhu-s) on 2014-10-13

Changed in keystone:
assignee:	nobody → Matthieu Huin (mhu-s)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-13: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/128093

Changed in keystone:
status:	New → In Progress

Dolph Mathews (dolph) on 2014-10-13

Changed in keystone:
importance:	Undecided → Medium
tags:	added: federation
tags:	added: documentation
Changed in python-keystoneclient:
importance:	Undecided → Wishlist
status:	New → Triaged

Matthieu Huin (mhu-s) on 2014-10-13

Changed in python-keystoneclient:
assignee:	nobody → Matthieu Huin (mhu-s)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-13: Fix proposed to python-keystoneclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/128103

Changed in python-keystoneclient:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-16: Change abandoned on keystone (master)

Change abandoned by Matthieu Huin (<email address hidden>) on branch: master
Review: https://review.openstack.org/128093

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-24: Change abandoned on python-keystoneclient (master)

Change abandoned by Jamie Lennox (<email address hidden>) on branch: master
Review: https://review.openstack.org/128103
Reason: This would now be a part of the keystoneclient-federation repo. Feel free to reopen if you still require it.

Revision history for this message

David Stanek (dstanek) wrote on 2015-08-26:

Unassigning since all of the proposed changes have been abandoned.

Changed in keystone:
assignee:	Matthieu Huin (mhu-s) → nobody
Changed in python-keystoneclient:
assignee:	Matthieu Huin (mhu-s) → nobody
Changed in keystone:
status:	In Progress → Triaged
Changed in python-keystoneclient:
status:	In Progress → Triaged

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-03-09:

this should be fixed, you can now name a protocol whatever you want and leverage the remote-id-attribute in the HTTP headers to find the right identity provider

Revision history for this message

Steve Martinelli (stevemar) wrote on 2016-07-05:

See earlier comment

Changed in python-keystoneclient:
status:	Triaged → Fix Released
Changed in keystone:
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.