New attributes for SAML Assertion generated by keystone IdP

bp assertion-extra-attributes

It is necessary to add new attributes to SAML assertions generated by a keystone IdP in order to uniquely identify users and projects.

Problem Description

When using keystone-to-keystone federation, a deployer can map a keystone Identity Provider into multiple domains in the keystone Service Provider. The keystone acting as Identity Provider may also have multiple domains as well. With this kind of m x n relationship between domains present in both Identity Provider and Service Provider it is critical for the mapping being used to have the power to correctly identify the different entities (users and projects) involved in the mapping process.

Currently, SAML assertions (and ECP wrapped SAML assertions) generated by a keystone Identity Provider contain three attributes: openstack_user, openstack_project and openstack_roles. The value of each attribute is the name of the entity that is represented. This leads to a problem when using mapping rules to uniquely identify users and projects, neither have unique names across domains - we might map different users and projects to the same entity in a keystone Service Provider, which may cause resources to be accessed by unauthorized users.

Proposed Change

Since users and projects have unique names in their domains, adding two new attributes, openstack_user_domain and openstack_project_domain, to the SAML assertion generated by the keystone IdP solves this issue.

Alternatives

Represent openstack_user and openstack_project by their IDs, this have the issue of not being backwards compatible: mapping rules previously created would stop working.

Security Impact

None

Notifications Impact

None

Other End User Impact

None

Performance Impact

None

Other Deployer Impact

Currently deployers already using keystone-to-keystone federation may want to update their mapping rules to include the new attributes.

Developer Impact

None

Implementation

Assignee(s)

Rodrigo Duarte Sousa <rodrigodsousa>

Work Items

  • Add openstack_user_domain in SAML assertion generation

  • Add openstack_project_domain in SAML assertion generation

  • Update documentation to add the new attributes

Dependencies

None

Documentation Impact

The new attributes should be documented.

References

None