From a551b94dd7abfd717c615daf6aa8767be06f1ff7 Mon Sep 17 00:00:00 2001
From: Eric Brown <browne@vmware.com>
Date: Fri, 20 Jan 2017 16:00:17 -0800
Subject: [PATCH] Add warning about using `external` with federation

Using both the `external` authentication method and a federation
method (such as saml2, etc) can result in conflicts [1]

[1] http://docs.openstack.org/developer/keystone/external-auth.html#configuration

Change-Id: Ifb95d779d48c14a4fa24a26d016151edf409d760
Related-Bug: #1657978
---
 keystone/conf/auth.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/keystone/conf/auth.py b/keystone/conf/auth.py
index aac36d2bf9..9894de4e02 100644
--- a/keystone/conf/auth.py
+++ b/keystone/conf/auth.py
@@ -20,7 +20,11 @@ methods = cfg.ListOpt(
     'methods',
     default=constants._DEFAULT_AUTH_METHODS,
     help=utils.fmt("""
-Allowed authentication methods.
+Allowed authentication methods. Note: You should disable the `external` auth
+method if you are currently using federation. External auth and federation
+both use the REMOTE_USER variable. Since both the mapped and external plugin
+are being invoked to validate attributes in the request environment, it can
+cause conflicts.
 """))
 
 password = cfg.StrOpt(  # nosec : This is the name of the plugin, not