[Yahoo-eng-team] [Bug 1390124] Re: No validation between client's IdP and Keystone IdP
This has been published as OSSN-0047: https://wiki.openstack.org/wiki/OSSN/OSSN-0047 ** Changed in: ossn Status: In Progress = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1390124 Title: No validation between client's IdP and Keystone IdP Status in OpenStack Identity (Keystone): Fix Released Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Fix Released Bug description: With today's configuration there is no strict link between federated assertion issued by a trusted IdP and a IdP configured inside Keystone. Hence, user has ability to choose a mapping and possibly get unauthorized access. Proposed solution: setup a IdP identified included in an assertion issued by a IdP and validate whether that both values are equal. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1390124/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1390124] Re: No validation between client's IdP and Keystone IdP
** Changed in: keystone Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1390124 Title: No validation between client's IdP and Keystone IdP Status in OpenStack Identity (Keystone): Fix Released Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: In Progress Bug description: With today's configuration there is no strict link between federated assertion issued by a trusted IdP and a IdP configured inside Keystone. Hence, user has ability to choose a mapping and possibly get unauthorized access. Proposed solution: setup a IdP identified included in an assertion issued by a IdP and validate whether that both values are equal. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1390124/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1390124] Re: No validation between client's IdP and Keystone IdP
Confirmed Class B1 ** Information type changed from Private Security to Public ** Changed in: ossa Status: Incomplete = Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1390124 Title: No validation between client's IdP and Keystone IdP Status in OpenStack Identity (Keystone): Triaged Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: In Progress Bug description: With today's configuration there is no strict link between federated assertion issued by a trusted IdP and a IdP configured inside Keystone. Hence, user has ability to choose a mapping and possibly get unauthorized access. Proposed solution: setup a IdP identified included in an assertion issued by a IdP and validate whether that both values are equal. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1390124/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp