Unfortunately the "local" type within the "local" section is not a
matching rule. Only the keys in the "remote" section are matched, then
they are mapped to attributes in the "local" section. If the user
doesn't exist already in keystone, but still matches the remote rule
'"type": "HTTP_GROUPS","any_one_of": [ "consumers" ]', it will be mapped
to the first case, and then expect there to already be a local user. The
matching can only be done based on remote attributes, not on local
attributes.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1823847
Title:
Multiple rules in a mapping is not working with type: "local"
attribute
Status in OpenStack Identity (keystone):
Invalid
Bug description:
We have a requirement in which we want to setup an external Identity provider
with keystone federation for SSO.
I have added two rules in a mapping which will match to below criteria and
added this mapping to OS_FEDERATION identity provider.
Rule 1. If user already exists in keystone, it should not create a new
ephemeral user.
Rule 2. If user is not found in keystone, it should create a new user in SSO
federated domain.
Problem:
If user is not present already, it should match second rule and new user
should be created. But its throwing Unauthorized Error.
I think, with type:"local" specified, it will throw Unauthorized error even
if there are multiple rules for a given mapping.
With multiple rules specified, it should try to match the a rule in an order
which is not working as expected
Have attached mapping object for reference.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1823847/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
