Description of problem: When a user tries to login via the horizon dashboard with SSO, they keep getting redirected back to the login page without any message indicating a reason if their group mapping is not setup in the overcloud, i.e., they are not part of any remote group that's currently mapped. This leads to the false assumption that the system is broken when it is not. I've looked through the keystone and horizon logs for signs of errors/warnings or even looping behavior but wasn't able to notice much. We have tested this behavior with more than one user with consistent results. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Have the federated users that are not part of the group mapping be given an error message (any error message) rather than keep looping back to the login screen without any hint as to why their access is not working. Additional info:
Found this on the documentation[1] where is mentioned the following: ~~~ During the federated authentication process, members of the IdM group openstack-users are mapped into the OpenStack group federated_users. As a result, an IdM user will need to be a member of the openstack-users group in order to access OpenStack; if the user is not a member of the IdM group openstack-users, then authentication will fail. ~~~ [1] http://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.0/html-single/federate_with_identity_service/index#operational-goals