Use comma as separator in ECP Accept HTTP header

During SAML ECP authentication 2 specially formatted HTTP headers
*MUST* be included in the request in order for the SP (Service
Provider) to recognize the client is ECP capable and to start the SAML
ECP flow. One is the PAOS header and the other is the Accept header
which must include the "application/vnd.paos+xml" media type. Media
types in the Accept header are separated by a comma (,). Unfortunately
keystoneauth uses a semicolon (;) as the media type separator. The
HTTP spec reserves the semicolon in the Accept header to attach
parameters to the media type. For example

Accept: type1;params1,type2;params2

Using a semicolon as a media type separator is syntactically invalid
and can cause failures in servers that parse the Accept header. For
example mod_auth_mellon emits this error message and fails to process
the ECP request:

request supplied valid PAOS header but omitted PAOS media type in Accept header
have_paos_media_type=False valid_paos_header=True is_paos=False

This indicates only 1 of the 2 required conditions were met.

Change-Id: I6469990a57762fc47b297d7b5b2b4cb4872df4ba
Signed-off-by: John Dennis <>
Closes-Bug: 1656946
John Dennis 6 years ago
parent 7e11cab57b
commit b1301e606d

@ -125,7 +125,7 @@ class _SamlAuth(requests.auth.AuthBase):
except KeyError:
request.headers['Accept'] = _PAOS_HEADER
request.headers['Accept'] = ';'.join([accept, _PAOS_HEADER])
request.headers['Accept'] = ','.join([accept, _PAOS_HEADER])
request.headers['PAOS'] = _PAOS_VER
request.register_hook('response', self._handle_response)