Ask Your Question
0

Mapping of user attributes in saml Federation

asked 2017-05-09 06:11:11 -0500

jj-ac gravatar image

updated 2017-05-09 06:14:52 -0500

Hi everybody, we setup a (miratis fuel) Mitaka Environment. We also have configured saml Federation (with Sibboleth). We noticed that the mapping for the user attribute email wont work. We configure it like this:

    [{
                "local": [{
                        "user": {
                                "name": "{0}",
                                "email": "{1}"
                        },
                        "group": {
                                "name": "shib-group-users",
                                "domain": { "id": "12345abcd"}
                        }
                }],
                "remote": [{
                        "type": "persistent-id"
                }, {
                        "type": "mail"
                }]
}]

since Openstack mapping create accepts this mapping and login works, we expect it to be correct.

Expected result:

root@node-9:~# openstack user list --long
+----------+-------+---------+----------+-------------+----------------------+---------+
| ID       | Name  | Project | Domain   | Description | Email                | Enabled |
+----------+-------+---------+----------+-------------+----------------------+---------+
| 12345abc | admin |         | default  |             | admin@localhost      | True    |
| 23451bca | usera |         | None     |             | usera@dom.tld        | True    |
| 34512cab | userb |         | None     |             | userb@dom.tld        | True    |

what we get:

root@node-9:~# openstack user list --long
+----------+-------+---------+----------+-------------+----------------------+---------+
| ID       | Name  | Project | Domain   | Description | Email                | Enabled |
+----------+-------+---------+----------+-------------+----------------------+---------+
| 12345abc | admin |         | default  |             | admin@localhost      | True    |
| 23451bca | usera |         | None     |             |                      | True    |
| 34512cab | userb |         | None     |             |                      | True    |

First question: what's wrong? our expectation, our mapping or is this simply a bug/not implemented

Second question: will this cane in the future or already has changed in newer releases?

Thanks for your response

edit retag flag offensive close merge delete

Comments

we also confirmed the mail attribute isn't empty by using it as username and vice versa

jj-ac gravatar imagejj-ac ( 2017-05-09 06:13:49 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-05-19 01:44:59 -0500

blakegc gravatar image

The federated user creation code in Keystone does not appear to pass this information to the database when creating the federated user entry.

https://github.com/openstack/keystone/blob/16f6ed14df136eb9c283a5415b9f18fcb0834350/keystone/identity/core.py#L1399-#L1408 (https://github.com/openstack/keystone...)

A workaround is to specify the email address as the user's unique ID / display name.

[{
    "local": [{
        "user": {
            "id": "{0}"
        },
        "group": {
            "name": "shib-group-users",
            "domain": {
                "id": "12345abcd"
            }
        }
    }],
    "remote": [{
        "type": "mail"
    }]
}]
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2017-05-09 06:11:11 -0500

Seen: 11 times

Last updated: May 19