[openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy

John Dennis jdennis at redhat.com
Sat Aug 6 12:44:10 UTC 2016 

On 08/05/2016 06:06 PM, Adam Young wrote:
>> Ah...just noticed the redirect is to :5000, not port :13000 which is
>> the HA Proxy port.
>
> OK, this is due to the SAML request:
>
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>                     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>                     ID="_5089011BEBD0F6B82074F67E904F598D"
>                     Version="2.0"
>                     IssueInstant="2016-08-05T21:55:18Z"
>                     Destination="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml"
>                     Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit"
>                     ForceAuthn="false"
>                     IsPassive="false"
>                     AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse"
>                     >
>     <saml:Issuer>https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata</saml:Issuer>
>     <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
>                         AllowCreate="true"
>                         />
> </samlp:AuthnRequest>
>
>
> My guess is HA proxy is not passing on the proper, and the
> mod_auth_mellon does not know to rewrite it from 5000 to 13000

You can't change the contents of a SAML AuthnRequest, often they are 
signed. Also, the AssertionConsumerServiceURL's and other URL's in SAML 
messages are validated to assure they match the metadata associated with 
EntityID (issuer). The addresses used inbound and outbound have to be 
correctly handled by the proxy configuration without modifying the 
content of the message being passed on the transport.


-- 
John

More information about the OpenStack-dev mailing list