[Yahoo-eng-team] [Bug 1426128] [NEW] Add ECP related bits to saml generation code

Thu, 26 Feb 2015 13:37:52 -0800 

Public bug reported:

If an app want to use k2k, then the keystone SP is probably setup to leverage 
ECP SAML assertions.
Currently, the SAML assertion that is generated by the IdP keystone does not 
contain the ECP related bits, such as:

"""<soap11:Envelope
        
xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/";><soap11:Header><ecp:Relay
State  
        xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
        soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";
        
soap11:mustUnderstand="1">ss:mem:f88cd8ad5aeee3456e74900b306b5ed54ec9fb23c614f9fa7
3ece1c97ec004ed</ecp:RelayState><samlec:GeneratedKey  
        xmlns:samlec="urn:ietf:params:xml:ns:samlec"
        
soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";>yvYbdh49qSJ7LqjFv+rfB8SR
97hPWMwQkL0KKOgSkhY=</samlec:GeneratedKey></soap11:Header>  
        <soap11:Body>%(response)s</soap11:Body></soap11:Envelope>"""

we should add these into the saml generator code so that a client can
simply get a SAML assertion from his token, and pass that assertion
directly to a remote keystone.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1426128

Title:
  Add ECP related bits to saml generation code

Status in OpenStack Identity (Keystone):
  New

Bug description:
  If an app want to use k2k, then the keystone SP is probably setup to leverage 
ECP SAML assertions.
  Currently, the SAML assertion that is generated by the IdP keystone does not 
contain the ECP related bits, such as:

  """<soap11:Envelope
          
xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/";><soap11:Header><ecp:Relay
  State  
          xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"
          soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";
          
soap11:mustUnderstand="1">ss:mem:f88cd8ad5aeee3456e74900b306b5ed54ec9fb23c614f9fa7
  3ece1c97ec004ed</ecp:RelayState><samlec:GeneratedKey  
          xmlns:samlec="urn:ietf:params:xml:ns:samlec"
          
soap11:actor="http://schemas.xmlsoap.org/soap/actor/next";>yvYbdh49qSJ7LqjFv+rfB8SR
  97hPWMwQkL0KKOgSkhY=</samlec:GeneratedKey></soap11:Header>  
          <soap11:Body>%(response)s</soap11:Body></soap11:Envelope>"""

  we should add these into the saml generator code so that a client can
  simply get a SAML assertion from his token, and pass that assertion
  directly to a remote keystone.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1426128/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to