During SAML ECP authentication 2 specially formatted HTTP headers *MUST* be included in the request in order for the SP (Service Provider) to recognize the client is ECP capable and to start the SAML ECP flow. One is the PAOS header and the other is the Accept header which must include the "application/vnd.paos+xml" media type. Media types in the Accept header are separated by a comma (,). Unfortunately keystoneauth uses a semicolon (;) as the media type separator. The HTTP spec reserves the semicolon in the Accept header to attach parameters to the media type. For example Accept: type1;params1,type2;params2 Using a semicolon as a media type separator is syntactically invalid and can cause failures in servers that parse the Accept header. For example mod_auth_mellon emits this error message and fails to process the ECP request: request supplied valid PAOS header but omitted PAOS media type in Accept header have_paos_media_type=False valid_paos_header=True is_paos=False This indicates only 1 of the 2 required conditions were met.
John, Have a few questions about verifying this bug, 1) I suppose it needs to be tested on a Keystone Federation Setup using ECP client. 2) What is the command I need to use from the ECP client to verify the header?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1587