+++ This bug was initially created as a clone of Bug #1256994 +++ The first SAML ECP request is to the endpoint with an Accept value containing application/vnd.paos+xml. In the spec example and in keystoneclient we send "text/html; application/vnd.paos+xml" however this is incorrect because the mime-type separator in Accept headers is a , (comma), where a ; provides parameters to the type[2]. This has been confirmed by SAML2 working group as a bug in the spec. (Will provide reference for this soon). This works in Sibolleth because the accept matcher simply does if 'application/vnd.paos+xml' in req.headers.accept but fails in mod_auth_mellon which does a more strict type check. [1] http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/cs01/saml-ecp-v2.0-cs01.html#_Toc366664721 [2] http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
This is fixed upstream in python-keystoneclient 1.7.0, and it was also backported to the 1.3.3 release on the stable/kilo branch here: https://review.openstack.org/#/c/217450/ This will be included in RHEL OSP 8, which currently is including python-keystoneclient-1.7.2-1.el7ost
Verified for python-keystoneclient-1.7.2-1.el7ost. Federation setup with: VM 1: OpenStack + mod_mellon (openstack.rduartes.unknown.test) VM 2: Ipsilon backed by FreeIPA (ipa.rduartes.unknown.test) In order to test if it is working we may try to get an unscoped token via Federation and using a python-keystoneclient plugin: from keystoneclient.contrib.auth.v3 import saml2 from keystoneclient import session from keystoneclient.v3 import client # Try to authenticate in the IdP and than use the credentials in the SP saml2_auth = saml2.Saml2UnscopedToken(auth_url='https://openstack.rduartes.unknown.test:5000/v3', identity_provider='ipsilon', identity_provider_url='https://ipa.rduartes.unknown.test/idp/saml2/SSO/SOAP', username='rduartes', password='rduartes') sess = session.Session(auth=saml2_auth) # Try to actually use the federated credentials ks = client.Client(session=sess) print('Try to list projects:') print(ks.federation.projects.list())
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0603.html