[openstack-dev] [keystone][tripleo] Federation, mod_mellon, and HA Proxy
John Dennis
jdennis at redhat.com
Sat Aug 6 12:44:10 UTC 2016
On 08/05/2016 06:06 PM, Adam Young wrote:
>> Ah...just noticed the redirect is to :5000, not port :13000 which is
>> the HA Proxy port.
>
> OK, this is due to the SAML request:
>
>
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="_5089011BEBD0F6B82074F67E904F598D"
> Version="2.0"
> IssueInstant="2016-08-05T21:55:18Z"
> Destination="https://identity.ayoung-dell-t1700.test/auth/realms/openstack/protocol/saml"
> Consent="urn:oasis:names:tc:SAML:2.0:consent:current-implicit"
> ForceAuthn="false"
> IsPassive="false"
> AssertionConsumerServiceURL="https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/postResponse"
> >
> <saml:Issuer>https://openstack.ayoung-dell-t1700.test:5000/v3/mellon/metadata</saml:Issuer>
> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
> AllowCreate="true"
> />
> </samlp:AuthnRequest>
>
>
> My guess is HA proxy is not passing on the proper, and the
> mod_auth_mellon does not know to rewrite it from 5000 to 13000
You can't change the contents of a SAML AuthnRequest, often they are
signed. Also, the AssertionConsumerServiceURL's and other URL's in SAML
messages are validated to assure they match the metadata associated with
EntityID (issuer). The addresses used inbound and outbound have to be
correctly handled by the proxy configuration without modifying the
content of the message being passed on the transport.
--
John
More information about the OpenStack-dev
mailing list