2.9 KiB
New attributes for SAML Assertion generated by keystone IdP
It is necessary to add new attributes to SAML assertions generated by a keystone IdP in order to uniquely identify users and projects.
Problem Description
When using keystone-to-keystone federation, a deployer can map a keystone Identity Provider into multiple domains in the keystone Service Provider. The keystone acting as Identity Provider may also have multiple domains as well. With this kind of m x n relationship between domains present in both Identity Provider and Service Provider it is critical for the mapping being used to have the power to correctly identify the different entities (users and projects) involved in the mapping process.
Currently, SAML assertions (and ECP wrapped SAML assertions)
generated by a keystone Identity Provider contain three attributes:
openstack_user
, openstack_project
and
openstack_roles
. The value of each attribute is the
name of the entity that is represented. This leads to a
problem when using mapping rules to uniquely identify users and
projects, neither have unique names across domains - we might map
different users and projects to the same entity in a keystone Service
Provider, which may cause resources to be accessed by unauthorized
users.
Proposed Change
Since users and projects have unique names in their domains, adding
two new attributes, openstack_user_domain
and
openstack_project_domain
, to the SAML assertion generated
by the keystone IdP solves this issue.
Alternatives
Represent openstack_user
and
openstack_project
by their IDs, this have the issue of not
being backwards compatible: mapping rules previously created would stop
working.
Security Impact
None
Notifications Impact
None
Other End User Impact
None
Performance Impact
None
Other Deployer Impact
Currently deployers already using keystone-to-keystone federation may want to update their mapping rules to include the new attributes.
Developer Impact
None
Implementation
Assignee(s)
Rodrigo Duarte Sousa <rodrigodsousa>
Work Items
- Add openstack_user_domain in SAML assertion generation
- Add openstack_project_domain in SAML assertion generation
- Update documentation to add the new attributes
Dependencies
None
Documentation Impact
The new attributes should be documented.
References
None