Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1268132

Summary: SAML plugin doesn't work with mod_auth_mellon - 303 redirect ignored
Product: Red Hat OpenStack Reporter: Jamie Lennox <jlennox>
Component: python-keystoneclientAssignee: Nathan Kinder <nkinder>
Status: CLOSED ERRATA QA Contact: Rodrigo Duarte <rduartes>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0 (Kilo)CC: ayoung, jruzicka, jschluet, nkinder, sasha, sclewis, yeylon
Target Milestone: betaKeywords: TestOnly
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-keystoneclient-1.7.2-1.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-07 21:10:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jamie Lennox 2015-10-01 21:34:50 UTC 
The SAML plugin hooks the http redirect code as ECP doesn't correctly follow the HTTP spec in this regard. Currently the plugin specifically looks for a 302 redirection and handles it however it should also handle the 303 redirect code as this is ambiguous in the specification and what mod_auth_mellon uses.
Comment 3 Nathan Kinder 2015-12-10 23:15:09 UTC 
This is fixed upstream in python-keystoneclient 1.8.0, and it was also backported to the 1.7.2 release on the stable/liberty branch here:

  https://review.openstack.org/230231

RHEL OSP 8 is currently including python-keystoneclient-1.7.2-1.el7ost, which includes this fix.
Comment 4 Rodrigo Duarte 2016-02-12 13:07:03 UTC 
Verified for python-keystoneclient-1.7.2-1.el7ost.

Federation setup with:

VM 1: OpenStack + mod_mellon (openstack.rduartes.unknown.test)
VM 2: Ipsilon backed by FreeIPA (ipa.rduartes.unknown.test)

In order to test if it is working we may try to get an unscoped token via Federation and using a python-keystoneclient plugin:

from keystoneclient.contrib.auth.v3 import saml2
from keystoneclient import session
from keystoneclient.v3 import client

# Try to authenticate in the IdP and than use the credentials in the SP
saml2_auth = saml2.Saml2UnscopedToken(auth_url='https://openstack.rduartes.unknown.test:5000/v3',
                                      identity_provider='ipsilon',
                                      identity_provider_url='https://ipa.rduartes.unknown.test/idp/saml2/SSO/SOAP',
                                      username='rduartes',
                                      password='rduartes')

# This bug is similar to bug #1256995, the failure would occur during the Session creation (it will receive the 303 redirect)
sess = session.Session(auth=saml2_auth)

# Try to actually use the federated credentials
ks = client.Client(session=sess)

print('Try to list projects:')
print(ks.federation.projects.list())
Comment 7 errata-xmlrpc 2016-04-07 21:10:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html