Bug 1256995 - SAML2 ECP Accept header incorrect
Summary: SAML2 ECP Accept header incorrect
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-keystoneclient
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
unspecified
Target Milestone: beta
: 8.0 (Liberty)
Assignee: Nathan Kinder
QA Contact: Rodrigo Duarte
URL:
Whiteboard:
Depends On: 1256994
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-26 03:00 UTC by Jamie Lennox
Modified: 2016-04-26 23:43 UTC (History)
10 users (show)

Fixed In Version: python-keystoneclient-1.7.2-1.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of: 1256994
Environment:
Last Closed: 2016-04-07 21:03:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1488722 0 None None None Never
OpenStack gerrit 216928 0 None None None Never
Red Hat Product Errata RHEA-2016:0603 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 8 Enhancement Advisory 2016-04-08 00:53:53 UTC

Description Jamie Lennox 2015-08-26 03:00:10 UTC 
+++ This bug was initially created as a clone of Bug #1256994 +++

The first SAML ECP request is to the endpoint with an Accept value containing application/vnd.paos+xml. In the spec example and in keystoneclient we send "text/html; application/vnd.paos+xml" however this is incorrect because the mime-type separator in Accept headers is a , (comma), where a ; provides parameters to the type[2].

This has been confirmed by SAML2 working group as a bug in the spec. (Will provide reference for this soon).

This works in Sibolleth because the accept matcher simply does

if 'application/vnd.paos+xml' in req.headers.accept

but fails in mod_auth_mellon which does a more strict type check.

[1] http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.html#_Toc366664721
[2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
Comment 4 Nathan Kinder 2015-12-10 23:08:39 UTC 
This is fixed upstream in python-keystoneclient 1.7.0, and it was also backported to the 1.3.3 release on the stable/kilo branch here:

  https://review.openstack.org/#/c/217450/

This will be included in RHEL OSP 8, which currently is including python-keystoneclient-1.7.2-1.el7ost
Comment 5 Rodrigo Duarte 2016-02-12 13:03:27 UTC 
Verified for python-keystoneclient-1.7.2-1.el7ost.

Federation setup with:

VM 1: OpenStack + mod_mellon (openstack.rduartes.unknown.test)
VM 2: Ipsilon backed by FreeIPA (ipa.rduartes.unknown.test)

In order to test if it is working we may try to get an unscoped token via Federation and using a python-keystoneclient plugin:

from keystoneclient.contrib.auth.v3 import saml2
from keystoneclient import session
from keystoneclient.v3 import client

# Try to authenticate in the IdP and than use the credentials in the SP
saml2_auth = saml2.Saml2UnscopedToken(auth_url='https://openstack.rduartes.unknown.test:5000/v3',
                                      identity_provider='ipsilon',
                                      identity_provider_url='https://ipa.rduartes.unknown.test/idp/saml2/SSO/SOAP',
                                      username='rduartes',
                                      password='rduartes')

sess = session.Session(auth=saml2_auth)

# Try to actually use the federated credentials
ks = client.Client(session=sess)

print('Try to list projects:')
print(ks.federation.projects.list())
Comment 8 errata-xmlrpc 2016-04-07 21:03:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0603.html
Note You need to log in before you can comment on or make changes to this bug.