With today's configuration there is no strict link between federated assertion issued by a trusted IdP and a IdP configured inside Keystone. Hence, user has ability to choose a mapping and possibly get unautorized access.
Proposed solution: setup a IdP identified included in an assertion issued by a IdP and validate whether that both values are equal.
With today's configuration there is no strict link between federated assertion issued by a trusted IdP and a IdP configured inside Keystone. Hence, user has ability to choose a mapping and possibly get unautorized access.
Proposed solution: setup a IdP identified included in an assertion issued by a IdP and validate whether that both values are equal.