[openstack-dev] [Keystone] Bug in federation

Adam Young ayoung at redhat.com
Tue Dec 23 17:34:29 UTC 2014

On 12/23/2014 11:34 AM, David Chadwick wrote:
> Hi guys
> we now have the ABFAB federation protocol working with Keystone, using a
> modified mod_auth_kerb plugin for Apache (available from the project
> Moonshot web site). However, we did not change Keystone configuration
> from its original SAML federation configuration, when it was talking to
> SAML IDPs, using mod_shibboleth. Neither did we modify the Keystone code
> (which I believe had to be done for OpenID connect.) We simply replaced
> mod_shibboleth with mod_auth_kerb and talked to a completely different
> IDP with a different protocol. And everything worked just fine.
> Consequently Keystone is broken, since you can configure it to trust a
> particular IDP, talking a particular protocol, but Apache will happily
> talk to another IDP, using a different protocol, and Keystone cannot
> tell the difference and will happily accept the authenticated user.
> Keystone should reject any authenticated user who does not come from the
> trusted IDP talking the correct protocol. Otherwise there is no point in
> configuring Keystone with this information, if it is ignored by Keystone.
The IDP and the Protocol should be passed from HTTPD in env vars. Can 
you confirm/deny that this is the case now?

On the Apache side we are looking to expand the set of variables set.

mod_shib does support Shib-Identity-Provider :


Which should be sufficient: if the user is coming in via mod_shib, they 
are using SAML.

> BTW, we are using the Juno release. We should fix this bug in Kilo.
> As I have been saying for many months, Keystone does not know anything
> about SAML or ABFAB or OpenID Connect protocols, so there is currently
> no point in configuring this information into Keystone. Keystone is only
> aware of environmental parameters coming from Apache. So this is the
> protocol that Keystone recognises. If you want Keystone to try to
> control the federation protocol and IDPs used by Apache, then you will
> need the Apache plugins to pass the name of the IDP and the protocol
> being used as environmental parameters to Keystone, and then Keystone
> can check that the ones that it has been configured to trust, are
> actually being used by Apache.
> regards
> David
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list