Hi John, the problem is not to establish which variable has the correct information but the association between IDP and URL. In OS-Federation you define an authentication URL per IDP and protocol and it is supposed to use the specified IDP and protocol for authenticate. Nevertheless, during the authentication there is not code to check if the IDP and protocol are the one specified for the URL and in the apache configuration for Juno there was no configuration in the apache side to bind the IDP with the URL.
Therefore, you need to add something in OS_Federation to perform this control using the variable you are proposing or others. Marco > On 24 Dec 2014, at 15:15, John Dennis <jden...@redhat.com> wrote: > > Can't this be solved with a couple of environment variables? The two > keys pieces of information needed are: > > 1) who authenticated the subject? > > 2) what authentication method was used? > > There is already precedence for AUTH_TYPE, it's used in AJP to > initialize the authType property in a Java Servelet. AUTH_TYPE would > cover item 2. Numerous places in Apache already set AUTH_TYPE. Perhaps > there could be a convention that AUTH_TYPE could carry extra qualifying > parameters much like HTTP headers do. The first token would be the > primary mechanism, e.g. saml, negotiate, x509, etc. For authentication > types that support multiple mechanisms (e.g. EAP, SAML, etc.) an extra > parameter would qualify the actual mechanism used. For SAML that > qualifying extra parameter could be the value from AuthnContextClassRef. > > Item 1 could be covered by a new environment variable AUTH_AUTHORITY. > > If AUTH_TYPE is negotiate (i.e. kerberos) then the AUTH_AUTHORITY would > be the KDC. For SAML it would probably be taken from the > AuthenticatingAuthority element or the IdP entityID. > > I'm not sure I see the need for other layers to receive the full SAML > assertion and validate the signature. One has to trust the server you're > running in. It's the same concept as trusting REMOTE_USER. > > -- > John > > _______________________________________________ > OpenStack-dev mailing list > OpenStackfirstname.lastname@example.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ==================================================== Eng. Marco Fargetta, PhD Istituto Nazionale di Fisica Nucleare (INFN) Catania, Italy EMail: marco.farge...@ct.infn.it ====================================================
Description: S/MIME cryptographic signature
_______________________________________________ OpenStack-dev mailing list OpenStackemail@example.com http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev