During SAML ECP authentication 2 specially formatted HTTP headers *MUST* be included in the request in order for the SP (Service Provider) to recognize the client is ECP capable and to start the SAML ECP flow. One is the PAOS header and the other is the Accept header which must include the "application/vnd.paos+xml" media type. Media types in the Accept header are separated by a comma (,). Unfortunately keystoneauth uses a semicolon (;) as the media type separator. The HTTP spec reserves the semicolon in the Accept header to attach parameters to the media type. For example Accept: type1;params1,type2;params2 Using a semicolon as a media type separator is syntactically invalid and can cause failures in servers that parse the Accept header. For example mod_auth_mellon emits this error message and fails to process the ECP request: request supplied valid PAOS header but omitted PAOS media type in Accept header have_paos_media_type=False valid_paos_header=True is_paos=False This indicates only 1 of the 2 required conditions were met. The irony is this issue was originally reported here: https://bugs.launchpad.net/python-keystoneclient/+bug/1488722 And merged here: https://review.openstack.org/#/c/217450/ But this was done about the time all the client libs and openstack client were being developed and Jamie Lenox noted the fix needs to be merged at some point in that code, but as far as I can tell that work was abandoned when the branch was abandoned. All of this is to say we need to apply the same trivial 1 character fix to keystoneauth that was lost along the way.
Merged upstream in: master: b1301e606d29a99da9c81d4c1627a6bba4b0ddcc stable/newton: 13b0e07b7ba58dcc1b743815743c655701d7b206 Already present in stable/ocata when branched from master.
Patch is necessary to make Keystone federation work.
Upstream gerrit review for master is: https://review.openstack.org/#/c/420970/ Upstream gerrit review for stable/newton is: https://review.openstack.org/#/c/421411/
verified for python-keystoneauth1-2.18.0 - try to use the v3samlpasswrod plugin: $ openstack --debug --insecure --os-auth-url https://10.0.0.101:13000/v3 --os-identity-api-version 3 --os-auth-type v3samlpassword ... - digging up in the logs, we can find 'Accept': '*/*,application/vnd.paos+xml', the header is correctly using , instead of ;
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0355.html
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days