Re: [openstack-dev] [Keystone] Bug in federation

2015-01-05 Thread Marco Fargetta
Hi David, in principle I agree with your comments. The current design mixes different aspect up and it is not manageable when the number of IdPs get bigger, like in the case you should allow access from users in a country federation, especially compared to other tools supporting identity

Re: [openstack-dev] [Keystone] Bug in federation

2015-01-05 Thread David Chadwick
Hi Marco 1. I agree that a discovery service is needed somewhere in the federation architecture. But the discovery service should be independent of the endpoint URL that is used to access OpenStack services via Keystone. It is not a good design to mix up these two aspects, which appears to have

Re: [openstack-dev] [Keystone] Bug in federation

2015-01-02 Thread David Chadwick
Hi Marco I think the current design is wrong because it is mixing up access control with service endpoint location. The endpoint of a service should be independent of the access control rules determining who can contact the service. Any entity should be able to contact a service endpoint (subject

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-24 Thread David Chadwick
On 23/12/2014 21:56, Morgan Fainberg wrote: On Dec 23, 2014, at 1:08 PM, Dolph Mathews dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote: On Tue, Dec 23, 2014 at 1:33 PM, David Chadwick d.w.chadw...@kent.ac.uk mailto:d.w.chadw...@kent.ac.uk wrote: Hi Adam On

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-24 Thread Marco Fargetta
Hi All, this bug was already reported and fixed in two steps: https://bugs.launchpad.net/ossn/+bug/1390124 The first step is in the documentation. There should be also an OSS advice for previous version of OpenStack. The solution consist in configuring shibboleth to use different IdPs for

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-24 Thread John Dennis
Can't this be solved with a couple of environment variables? The two keys pieces of information needed are: 1) who authenticated the subject? 2) what authentication method was used? There is already precedence for AUTH_TYPE, it's used in AJP to initialize the authType property in a Java

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-24 Thread David Chadwick
HI John On 24/12/2014 14:15, John Dennis wrote: Can't this be solved with a couple of environment variables? The two keys pieces of information needed are: 1) who authenticated the subject? AUTH_AUTHORITY or similar would stop wrong configuration of Apache if it was set by the protocol

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-24 Thread David Chadwick
If I understand the bug fix correctly, it is firmly tying the URL to the IDP to the mapping rule. But I think this is going in the wrong direction for several reasons: 1. With Shibboleth, if you use a WAYF service, then anyone from hundreds of different federated IDPs may end up being used to

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-24 Thread Marco Fargetta
On 24 Dec 2014, at 17:34, David Chadwick d.w.chadw...@kent.ac.uk wrote: If I understand the bug fix correctly, it is firmly tying the URL to the IDP to the mapping rule. But I think this is going in the wrong direction for several reasons: 1. With Shibboleth, if you use a WAYF service,

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-24 Thread Marco Fargetta
Hi John, the problem is not to establish which variable has the correct information but the association between IDP and URL. In OS-Federation you define an authentication URL per IDP and protocol and it is supposed to use the specified IDP and protocol for authenticate. Nevertheless, during the

[openstack-dev] [Keystone] Bug in federation

2014-12-23 Thread David Chadwick
Hi guys we now have the ABFAB federation protocol working with Keystone, using a modified mod_auth_kerb plugin for Apache (available from the project Moonshot web site). However, we did not change Keystone configuration from its original SAML federation configuration, when it was talking to SAML

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-23 Thread Adam Young
On 12/23/2014 11:34 AM, David Chadwick wrote: Hi guys we now have the ABFAB federation protocol working with Keystone, using a modified mod_auth_kerb plugin for Apache (available from the project Moonshot web site). However, we did not change Keystone configuration from its original SAML

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-23 Thread David Chadwick
Hi Adam On 23/12/2014 17:34, Adam Young wrote: On 12/23/2014 11:34 AM, David Chadwick wrote: Hi guys we now have the ABFAB federation protocol working with Keystone, using a modified mod_auth_kerb plugin for Apache (available from the project Moonshot web site). However, we did not change

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-23 Thread Dolph Mathews
On Tue, Dec 23, 2014 at 1:33 PM, David Chadwick d.w.chadw...@kent.ac.uk wrote: Hi Adam On 23/12/2014 17:34, Adam Young wrote: On 12/23/2014 11:34 AM, David Chadwick wrote: Hi guys we now have the ABFAB federation protocol working with Keystone, using a modified mod_auth_kerb plugin

Re: [openstack-dev] [Keystone] Bug in federation

2014-12-23 Thread Morgan Fainberg
On Dec 23, 2014, at 1:08 PM, Dolph Mathews dolph.math...@gmail.com wrote: On Tue, Dec 23, 2014 at 1:33 PM, David Chadwick d.w.chadw...@kent.ac.uk mailto:d.w.chadw...@kent.ac.uk wrote: Hi Adam On 23/12/2014 17:34, Adam Young wrote: On 12/23/2014 11:34 AM, David Chadwick wrote: Hi