openstack
/
keystone
Code Issues Proposed changes

Fix K2K auth flow diagram 

The keystone-to-keystone auth flow diagram contained a minor error that
could lead to confusion. When a client POSTs a SAMLResponse to the PAOS
URL of the keystone Service Provider, the response is not automatically
a keystone token but an HTTP redirect that indicates the session is
successfully authenticated. The client then must ignore the Location
header of the redirect and instead start the token request process with
keystone's federated authentication endpoint. This change adds the extra
step to the diagram to help clarify the process.

Change-Id: I5c256388c2247eba4e559eb94cc9fb1bcd42444a
This commit is contained in:
Colleen Murphy 2019-10-17 13:48:44 -07:00
parent f9a086e165
commit 7debb1a30b
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/source/admin/federation/introduction.rst
View File

@ -309,6 +309,8 @@ Keystone to Keystone
SAMLResponse in SOAP envelope"];
useragent -> sp [label = "POST /PAOS-url"];
sp -> sp [label = "Validate"];
useragent <- sp [label = "HTTP 302"];
useragent -> sp [label = "GET /v3/OS-FED/.../auth"];
useragent <- sp [label = "HTTP 201
X-Subject-Token: unscoped token"];
useragent -> sp [label = "POST /v3/auth/tokens