[openstack-dev] [Keystone] [Horizon] Federated Login

Jamie Lennox jamielennox at redhat.com
Tue Aug 11 00:09:33 UTC 2015



----- Original Message -----
> From: "David Chadwick" <d.w.chadwick at kent.ac.uk>
> To: openstack-dev at lists.openstack.org
> Sent: Tuesday, 11 August, 2015 12:50:21 AM
> Subject: Re: [openstack-dev] [Keystone] [Horizon] Federated Login
> 
> 
> 
> On 10/08/2015 01:53, Jamie Lennox wrote:
> > 
> > 
> > ----- Original Message -----
> >> From: "David Chadwick" <d.w.chadwick at kent.ac.uk> To:
> >> openstack-dev at lists.openstack.org Sent: Sunday, August 9, 2015
> >> 12:29:49 AM Subject: Re: [openstack-dev] [Keystone] [Horizon]
> >> Federated Login
> >> 
> >> Hi Jamie
> >> 
> >> nice presentation, thanks for sharing it. I have forwarded it to
> >> my students working on federation aspects of Horizon.
> >> 
> >> About public federated cloud access, the way you envisage it, i.e.
> >> that every user will have his own tailored (subdomain) URL to the
> >> SP is not how it works in the real world today. SPs typically
> >> provide one URL, which everyone from every IdP uses, so that no
> >> matter which browser you are using, from wherever you are in the
> >> world, you can access the SP (via your IdP). The only thing the
> >> user needs to know, is the name of his IdP, in order to correctly
> >> choose it.
> >> 
> >> So discovery of all available IdPs is needed. You are correct in
> >> saying that Shib supports a separate discovery service (WAYF), but
> >> Horizon can also play this role, by listing the IdPs for the user.
> >> This is the mod that my student is making to Horizon, by adding
> >> type ahead searching.
> > 
> > So my point at the moment is that unless there's something i'm
> > missing in the way shib/mellon discovery works is that horizon can't.
> > Because we forward to a common websso entry point there is no way (i
> > know) for the users selection in horizon to be forwarded to keystone.
> > You would still need a custom "select your idp" discovery page in
> > front of keystone. I'm not sure if this addition is part of your
> > students work, it just hasn't been mentioned yet.
> > 
> >> About your proposed discovery mod, surely this seems to be going in
> >> the wrong direction. A common entry point to Keystone for all IdPs,
> >> as we have now with WebSSO, seems to be preferable to separate
> >> entry points per IdP. Which high street shop has separate doors for
> >> each user? Or have I misunderstood the purpose of your mod?
> > 
> > The purpose of the mod is purely to bypass the need to have a
> > shib/mellon discovery page on /v3/OS-FEDERATION/websso/saml2. This
> > page is currently required to allow a user to select their idp
> > (presumably from the ones supported by keystone) and redirect to that
> > IDPs specific login page.
> 
> There are two functionalities that are required:
> a) Horizon finding the redirection login URL of the IdP chosen by the user
> b) Keystone finding which IdP was used for login.
> 
> The second is already done by Apache telling Keystone in the header field.
> 
> The first is part of the metadata of the IdP, and Keystone should make
> this available to Horizon via an API call. Ideally when Horizon calls
> Keystone for the list of trusted IdPs, then the user friendly name of
> the IdP (to be displayed to the user) and the login page URL should be
> returned. Then Horizon can present the user friendly list to the user,
> get the login URL that matches this, then redirect the user to the IdP
> telling the IdP the common callback URL of Keystone.

So my understanding was that this wasn't possible. Because we want to have keystone be the registered service provider and receive the returned SAML assertions the login redirect must be issued from keystone and not horizon. Is it possible to issue a login request from horizon that returns the response to keystone? This seems dodgy to me but may be possible if all the trust relationships are set up.

In a way this is exactly what my proposal was. A way for horizon to determine a unique websso login page for each idp, just my understanding is that this request must be bounced through keystone.

> > When the response comes back from that
> > login it returns to that websso page and we look at remote_ids to
> > determine which keystone idp is handling the response from that
> > site.
> 
> This seems the more secure way of determining the IdP to me, since
> Apache determines the IdP then tells Keystone via the header field. If
> you rely on the IdP to contact the "right" endpoint, then doesn't this
> allow the IdP to return to a different URL and thereby trick Keystone
> into thinking it was a different IdP?

To me the difference is that if we all return to a common /OS-FEDERATION/websso/saml2 endpoint then apache has to let all SAML responses through for all registered idps and then keystone must determine which is the real idp. By returning to an IDP specific websso route apache can assert that this response may only have come from the provider configured for that idp. This is really a secondary concern. I don't see there being much security difference, just that in this way you offload some additional responsibility for validating a SAML assertion to apache and we remove some (not all) the need for remote_ids.

> regards
> 
> David
> 



More information about the OpenStack-dev mailing list