From 7debb1a30bc0e2cfadd0c0315fa4df92d345b987 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Thu, 17 Oct 2019 13:48:44 -0700 Subject: [PATCH] Fix K2K auth flow diagram The keystone-to-keystone auth flow diagram contained a minor error that could lead to confusion. When a client POSTs a SAMLResponse to the PAOS URL of the keystone Service Provider, the response is not automatically a keystone token but an HTTP redirect that indicates the session is successfully authenticated. The client then must ignore the Location header of the redirect and instead start the token request process with keystone's federated authentication endpoint. This change adds the extra step to the diagram to help clarify the process. Change-Id: I5c256388c2247eba4e559eb94cc9fb1bcd42444a --- doc/source/admin/federation/introduction.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/source/admin/federation/introduction.rst b/doc/source/admin/federation/introduction.rst index 52d32dd8bb..032c3c61f2 100644 --- a/doc/source/admin/federation/introduction.rst +++ b/doc/source/admin/federation/introduction.rst @@ -309,6 +309,8 @@ Keystone to Keystone SAMLResponse in SOAP envelope"]; useragent -> sp [label = "POST /PAOS-url"]; sp -> sp [label = "Validate"]; + useragent <- sp [label = "HTTP 302"]; + useragent -> sp [label = "GET /v3/OS-FED/.../auth"]; useragent <- sp [label = "HTTP 201 X-Subject-Token: unscoped token"]; useragent -> sp [label = "POST /v3/auth/tokens