OpenStack Identity (keystone)

websso should compare remote_id_attribute to remote_id of IdP

Bug #1434701 reported by Nathan Kinder
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Nathan Kinder
OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

When using the websso feature in keystone, the identity provider is looked up based on the value of the 'remote_id_attribute' environment variable provided by the SAML assertion (or claim in the case of OpenID Connect). Logic would dictate that the 'remote_id_attribute' value is searched for against the 'remote_id' field in the backend where identity providers are stored. This is not the case. Here is an example from my test environment:

When hitting http://rdo.rdodom.test:5000/v3/auth/OS-FEDERATION/websso/saml2?origin=http%3A//rdo.rdodom.test:

  {"error": {"message": "Could not find Identity Provider: https://ipa.rdodom.test/idp/saml2/metadata", "code": 404, "title": "Not Found"}}

This message contains the value of my 'remote_id_attribute' from the assertion. This value is 'https://ipa.rdodom.test/idp/saml2/metadata'. The identity provider looks like this:

[root@rdo ~(keystone_v3_admin)]$ openstack identity provider show ipsilon
+-------------+--------------------------------------------+
| Field | Value |
+-------------+--------------------------------------------+
| description | None |
| enabled | True |
| id | ipsilon |
| remote_id | https://ipa.rdodom.test/idp/saml2/metadata |
+-------------+--------------------------------------------+

You can see that the remote_id matches the value that my assertion contains.

My keystone.conf has this:

  remote_id_attribute = MELLON_IDP
  trusted_dashboard = http://rdo.rdodom.test

Keystone is currently looking up the identity provider by trying to match the value from the 'remote_id_attribute' to the 'id' field of the identity provider in keystone. This seems wrong.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/166391

Changed in keystone:
assignee: nobody → Nathan Kinder (nkinder)
status: New → In Progress
Marek Denis (marek-denis)
Changed in keystone:
importance: Undecided → High
status: In Progress → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/166391
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=09dea7b81f01a3d8078e1d10454a782fbfa1247c
Submitter: Jenkins
Branch: master

commit 09dea7b81f01a3d8078e1d10454a782fbfa1247c
Author: Nathan Kinder <email address hidden>
Date: Fri Mar 20 14:44:29 2015 -0700

    Lookup identity provider by remote_id for websso

    When using the websso feature in keystone, the identity provider is
    looked up based on the value of the 'remote_id_attribute' environment
    variable provided by the SAML assertion (or claim in the case of OpenID
    Connect). Logic would dictate that the 'remote_id_attribute' value is
    searched for against the 'remote_id' field in the backend where identity
    providers are stored. Instead, we are doing the lookup against the 'id'
    field.

    This patch makes the websso code look the identity provider up by the
    remote ID.

    Change-Id: I1dc666782929902a3a4f478baef2b729757b0dc5
    Closes-Bug: 1434701

Changed in keystone:
status: Confirmed → Fix Committed
Morgan Fainberg (mdrnstm)
Changed in keystone:
milestone: none → kilo-rc1
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: kilo-rc1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.