Public bug reported:
The way federation is implemented today needs Keystone to run on Apache
and have authentication performed by mod_shib. Therefore, a user trying
to authenticate via saml2, for instance, will have her/his REMOTE_USER
property defined.
The lines below of the method Auth.authenticate [1] makes any user with
REMOTE_USER property in context to be authenticated by "external"
instead of "saml2" even after
contrib.federation.controllers.Auth.federated_authetication having
defined methods=['saml2'] [2].
# user has been authenticated externally
if 'REMOTE_USER' in context['environment']:
external = get_auth_method('external')
external.authenticate(context, auth_info, auth_context)
There should be a way of telling saml2 from external users in order to
avoid such authentication method collision.
Current version of the mentioned files:
[1]
https://github.com/openstack/keystone/blob/01eea87dea766714015a62f5d24f07d2407f9612/keystone/auth/controllers.py#L408
[2]
https://github.com/openstack/keystone/blob/a74550e3c47c6a138b4db7f95f89843c59a643bf/keystone/contrib/federation/controllers.py#L242
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1320128
Title:
Verification for REMOTE_USER on auth.controllers.Auth breaks
Federation
Status in OpenStack Identity (Keystone):
New
Bug description:
The way federation is implemented today needs Keystone to run on
Apache and have authentication performed by mod_shib. Therefore, a
user trying to authenticate via saml2, for instance, will have her/his
REMOTE_USER property defined.
The lines below of the method Auth.authenticate [1] makes any user
with REMOTE_USER property in context to be authenticated by "external"
instead of "saml2" even after
contrib.federation.controllers.Auth.federated_authetication having
defined methods=['saml2'] [2].
# user has been authenticated externally
if 'REMOTE_USER' in context['environment']:
external = get_auth_method('external')
external.authenticate(context, auth_info, auth_context)
There should be a way of telling saml2 from external users in order to
avoid such authentication method collision.
Current version of the mentioned files:
[1]
https://github.com/openstack/keystone/blob/01eea87dea766714015a62f5d24f07d2407f9612/keystone/auth/controllers.py#L408
[2]
https://github.com/openstack/keystone/blob/a74550e3c47c6a138b4db7f95f89843c59a643bf/keystone/contrib/federation/controllers.py#L242
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1320128/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
