[openstack-dev] [Keystone] Bug in federation

John Dennis jdennis at redhat.com
Wed Dec 24 14:15:34 UTC 2014

Can't this be solved with a couple of environment variables? The two
keys pieces of information needed are:

1) who authenticated the subject?

2) what authentication method was used?

There is already precedence for AUTH_TYPE, it's used in AJP to
initialize the authType property in a Java Servelet. AUTH_TYPE would
cover item 2. Numerous places in Apache already set AUTH_TYPE. Perhaps
there could be a convention that AUTH_TYPE could carry extra qualifying
parameters much like HTTP headers do. The first token would be the
primary mechanism, e.g. saml, negotiate, x509, etc. For authentication
types that support multiple mechanisms (e.g. EAP, SAML, etc.) an extra
parameter would qualify the actual mechanism used. For SAML that
qualifying extra parameter could be the value from AuthnContextClassRef.

Item 1 could be covered by a new environment variable AUTH_AUTHORITY.

If AUTH_TYPE is negotiate (i.e. kerberos) then the AUTH_AUTHORITY would
be the KDC. For SAML it would probably be taken from the
AuthenticatingAuthority element or the IdP entityID.

I'm not sure I see the need for other layers to receive the full SAML
assertion and validate the signature. One has to trust the server you're
running in. It's the same concept as trusting REMOTE_USER.


More information about the OpenStack-dev mailing list