[openstack-dev] [Keystone] Bug in federation
ayoung at redhat.com
Tue Dec 23 17:34:29 UTC 2014
On 12/23/2014 11:34 AM, David Chadwick wrote:
> Hi guys
> we now have the ABFAB federation protocol working with Keystone, using a
> modified mod_auth_kerb plugin for Apache (available from the project
> Moonshot web site). However, we did not change Keystone configuration
> from its original SAML federation configuration, when it was talking to
> SAML IDPs, using mod_shibboleth. Neither did we modify the Keystone code
> (which I believe had to be done for OpenID connect.) We simply replaced
> mod_shibboleth with mod_auth_kerb and talked to a completely different
> IDP with a different protocol. And everything worked just fine.
> Consequently Keystone is broken, since you can configure it to trust a
> particular IDP, talking a particular protocol, but Apache will happily
> talk to another IDP, using a different protocol, and Keystone cannot
> tell the difference and will happily accept the authenticated user.
> Keystone should reject any authenticated user who does not come from the
> trusted IDP talking the correct protocol. Otherwise there is no point in
> configuring Keystone with this information, if it is ignored by Keystone.
The IDP and the Protocol should be passed from HTTPD in env vars. Can
you confirm/deny that this is the case now?
On the Apache side we are looking to expand the set of variables set.
mod_shib does support Shib-Identity-Provider :
Which should be sufficient: if the user is coming in via mod_shib, they
are using SAML.
> BTW, we are using the Juno release. We should fix this bug in Kilo.
> As I have been saying for many months, Keystone does not know anything
> about SAML or ABFAB or OpenID Connect protocols, so there is currently
> no point in configuring this information into Keystone. Keystone is only
> aware of environmental parameters coming from Apache. So this is the
> protocol that Keystone recognises. If you want Keystone to try to
> control the federation protocol and IDPs used by Apache, then you will
> need the Apache plugins to pass the name of the IDP and the protocol
> being used as environmental parameters to Keystone, and then Keystone
> can check that the ones that it has been configured to trust, are
> actually being used by Apache.
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
More information about the OpenStack-dev