Hi guys we now have the ABFAB federation protocol working with Keystone, using a modified mod_auth_kerb plugin for Apache (available from the project Moonshot web site). However, we did not change Keystone configuration from its original SAML federation configuration, when it was talking to SAML IDPs, using mod_shibboleth. Neither did we modify the Keystone code (which I believe had to be done for OpenID connect.) We simply replaced mod_shibboleth with mod_auth_kerb and talked to a completely different IDP with a different protocol. And everything worked just fine.
Consequently Keystone is broken, since you can configure it to trust a particular IDP, talking a particular protocol, but Apache will happily talk to another IDP, using a different protocol, and Keystone cannot tell the difference and will happily accept the authenticated user. Keystone should reject any authenticated user who does not come from the trusted IDP talking the correct protocol. Otherwise there is no point in configuring Keystone with this information, if it is ignored by Keystone. BTW, we are using the Juno release. We should fix this bug in Kilo. As I have been saying for many months, Keystone does not know anything about SAML or ABFAB or OpenID Connect protocols, so there is currently no point in configuring this information into Keystone. Keystone is only aware of environmental parameters coming from Apache. So this is the protocol that Keystone recognises. If you want Keystone to try to control the federation protocol and IDPs used by Apache, then you will need the Apache plugins to pass the name of the IDP and the protocol being used as environmental parameters to Keystone, and then Keystone can check that the ones that it has been configured to trust, are actually being used by Apache. regards David _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev