During SAML ECP authentication 2 specially formatted HTTP headers *MUST* be included in the request in order for the SP (Service Provider) to recognize the client is ECP capable and to start the SAML ECP flow. One is the PAOS header and the other is the Accept header which must include the "application/vnd.paos+xml" media type. Media types in the Accept header are separated by a comma (,). Unfortunately keystoneauth uses a semicolon (;) as the media type separator. The HTTP spec reserves the semicolon in the Accept header to attach parameters to the media type. For example
Using a semicolon as a media type separator is syntactically invalid and can cause failures in servers that parse the Accept header. For example mod_auth_mellon emits this error message and fails to process the ECP request:
request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False
This indicates only 1 of the 2 required conditions were met.
The irony is this issue was originally reported here:
And merged here:
But this was done about the time all the client libs and openstack client were being developed and Jamie Lenox noted the fix needs to be merged at some point in that code, but as far as I can tell that work was abandoned when the branch was abandoned.
All of this is to say we need to apply the same trivial 1 character fix to keystoneauth that was lost along the way.
Merged upstream in:
Already present in stable/ocata when branched from master.
Patch is necessary to make Keystone federation work.
Upstream gerrit review for master is:
Upstream gerrit review for stable/newton is:
verified for python-keystoneauth1-2.18.0
- try to use the v3samlpasswrod plugin:
$ openstack --debug --insecure --os-auth-url https://10.0.0.101:13000/v3 --os-identity-api-version 3 --os-auth-type v3samlpassword ...
- digging up in the logs, we can find 'Accept': '*/*,application/vnd.paos+xml', the header is correctly using , instead of ;
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.