Red Hat Bugzilla – Bug 1268132
SAML plugin doesn't work with mod_auth_mellon - 303 redirect ignored
Last modified: 2016-04-26 14:52:20 EDT
The SAML plugin hooks the http redirect code as ECP doesn't correctly follow the HTTP spec in this regard. Currently the plugin specifically looks for a 302 redirection and handles it however it should also handle the 303 redirect code as this is ambiguous in the specification and what mod_auth_mellon uses.
This is fixed upstream in python-keystoneclient 1.8.0, and it was also backported to the 1.7.2 release on the stable/liberty branch here:
RHEL OSP 8 is currently including python-keystoneclient-1.7.2-1.el7ost, which includes this fix.
Verified for python-keystoneclient-1.7.2-1.el7ost.
Federation setup with:
VM 1: OpenStack + mod_mellon (openstack.rduartes.unknown.test)
VM 2: Ipsilon backed by FreeIPA (ipa.rduartes.unknown.test)
In order to test if it is working we may try to get an unscoped token via Federation and using a python-keystoneclient plugin:
from keystoneclient.contrib.auth.v3 import saml2
from keystoneclient import session
from keystoneclient.v3 import client
# Try to authenticate in the IdP and than use the credentials in the SP
saml2_auth = saml2.Saml2UnscopedToken(auth_url='https://openstack.rduartes.unknown.test:5000/v3',
# This bug is similar to bug #1256995, the failure would occur during the Session creation (it will receive the 303 redirect)
sess = session.Session(auth=saml2_auth)
# Try to actually use the federated credentials
ks = client.Client(session=sess)
print('Try to list projects:')
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.