Public bug reported: The way federation is implemented today needs Keystone to run on Apache and have authentication performed by mod_shib. Therefore, a user trying to authenticate via saml2, for instance, will have her/his REMOTE_USER property defined.
The lines below of the method Auth.authenticate [1] makes any user with REMOTE_USER property in context to be authenticated by "external" instead of "saml2" even after contrib.federation.controllers.Auth.federated_authetication having defined methods=['saml2'] [2]. # user has been authenticated externally if 'REMOTE_USER' in context['environment']: external = get_auth_method('external') external.authenticate(context, auth_info, auth_context) There should be a way of telling saml2 from external users in order to avoid such authentication method collision. Current version of the mentioned files: [1] https://github.com/openstack/keystone/blob/01eea87dea766714015a62f5d24f07d2407f9612/keystone/auth/controllers.py#L408 [2] https://github.com/openstack/keystone/blob/a74550e3c47c6a138b4db7f95f89843c59a643bf/keystone/contrib/federation/controllers.py#L242 ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1320128 Title: Verification for REMOTE_USER on auth.controllers.Auth breaks Federation Status in OpenStack Identity (Keystone): New Bug description: The way federation is implemented today needs Keystone to run on Apache and have authentication performed by mod_shib. Therefore, a user trying to authenticate via saml2, for instance, will have her/his REMOTE_USER property defined. The lines below of the method Auth.authenticate [1] makes any user with REMOTE_USER property in context to be authenticated by "external" instead of "saml2" even after contrib.federation.controllers.Auth.federated_authetication having defined methods=['saml2'] [2]. # user has been authenticated externally if 'REMOTE_USER' in context['environment']: external = get_auth_method('external') external.authenticate(context, auth_info, auth_context) There should be a way of telling saml2 from external users in order to avoid such authentication method collision. Current version of the mentioned files: [1] https://github.com/openstack/keystone/blob/01eea87dea766714015a62f5d24f07d2407f9612/keystone/auth/controllers.py#L408 [2] https://github.com/openstack/keystone/blob/a74550e3c47c6a138b4db7f95f89843c59a643bf/keystone/contrib/federation/controllers.py#L242 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1320128/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp