New attributes for SAML Assertion generated by keystone IdP¶
It is necessary to add new attributes to SAML assertions generated by a keystone IdP in order to uniquely identify users and projects.
When using keystone-to-keystone federation, a deployer can map a keystone Identity Provider into multiple domains in the keystone Service Provider. The keystone acting as Identity Provider may also have multiple domains as well. With this kind of m x n relationship between domains present in both Identity Provider and Service Provider it is critical for the mapping being used to have the power to correctly identify the different entities (users and projects) involved in the mapping process.
Currently, SAML assertions (and ECP wrapped SAML assertions) generated by a
keystone Identity Provider contain three attributes:
openstack_roles. The value of each attribute
is the name of the entity that is represented. This leads to a problem when
using mapping rules to uniquely identify users and projects, neither have
unique names across domains - we might map different users and projects to the
same entity in a keystone Service Provider, which may cause resources to be
accessed by unauthorized users.
Since users and projects have unique names in their domains, adding two new
openstack_project_domain, to the
SAML assertion generated by the keystone IdP solves this issue.
openstack_project by their IDs, this have
the issue of not being backwards compatible: mapping rules previously created
would stop working.
Other End User Impact¶
Other Deployer Impact¶
Currently deployers already using keystone-to-keystone federation may want to update their mapping rules to include the new attributes.
Rodrigo Duarte Sousa <rodrigodsousa>
Add openstack_user_domain in SAML assertion generation
Add openstack_project_domain in SAML assertion generation
Update documentation to add the new attributes
The new attributes should be documented.