Comment 0 for bug 1390124

With today's configuration there is no strict link between federated assertion issued by a trusted IdP and a IdP configured inside Keystone. Hence, user has ability to choose a mapping and possibly get unautorized access.

Proposed solution: setup a IdP identified included in an assertion issued by a IdP and validate whether that both values are equal.