Bug 1253857
Summary: | ipsilon client saml nameid kerberos authentication issue | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||||
Component: | ipsilon | Assignee: | Rob Crittenden <rcritten> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.2 | CC: | puiterwijk | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-08-20 13:21:29 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Scott Poore
2015-08-14 23:07:31 UTC
Created attachment 1063191 [details]
idp http logs
Created attachment 1063192 [details]
sp http logs
It is definitely related to the nameid. For some reason it is being rejected despite being in the allowed list: [Fri Aug 14 17:59:31.216350 2015] [:error] [pid 26989] [14/Aug/2015:17:59:31] DEBUG(providers/saml2/provider.py:195 ServiceProvider.get_valid_nameid()): Requested NameId [urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos] [Fri Aug 14 17:59:31.216956 2015] [:error] [pid 26989] [14/Aug/2015:17:59:31] DEBUG(providers/saml2/provider.py:200 ServiceProvider.get_valid_nameid()): Allowed NameIds ['unspecified', 'persistent', 'transient', 'email', 'kerberos', 'x509'] [Fri Aug 14 17:59:31.217824 2015] [:error] [pid 26989] [14/Aug/2015:17:59:31] DEBUG(ipsilon/providers/common.py:28 AuthenticationError.__init__()): Unavailable Name ID type [urn:oasis:names:tc:SAML:2.0:status:AuthnFailed] Scott, I think I figured out what you did. Did you authenticate using username/password instead of having a valid Kerberos ticket? If so, that explains it, as the only NameId allowed is Kerberos so if you don't authenticate with Kerberos, it fails to log you in and explains the 401. So basically you authenticated ok but with the wrong kind of credentials so you aren't allowed in. Rob, Yes, that was it. With a kerberos ticket, I'm able to connect and do see the nameid-format as kerberos as expected. So, closing as not a bug. Thanks for the help. Scott |