It is necessary to add new attributes to SAML assertions generated by a keystone IdP in order to uniquely identify users and projects.
When using keystone-to-keystone federation, a deployer can map a keystone Identity Provider into multiple domains in the keystone Service Provider. The keystone acting as Identity Provider may also have multiple domains as well. With this kind of m x n relationship between domains present in both Identity Provider and Service Provider it is critical for the mapping being used to have the power to correctly identify the different entities (users and projects) involved in the mapping process.
Currently, SAML assertions (and ECP wrapped SAML assertions) generated by a keystone Identity Provider contain three attributes: openstack_user, openstack_project and openstack_roles. The value of each attribute is the name of the entity that is represented. This leads to a problem when using mapping rules to uniquely identify users and projects, neither have unique names across domains - we might map different users and projects to the same entity in a keystone Service Provider, which may cause resources to be accessed by unauthorized users.
Since users and projects have unique names in their domains, adding two new attributes, openstack_user_domain and openstack_project_domain, to the SAML assertion generated by the keystone IdP solves this issue.
Represent openstack_user and openstack_project by their IDs, this have the issue of not being backwards compatible: mapping rules previously created would stop working.
None
None
None
None
Currently deployers already using keystone-to-keystone federation may want to update their mapping rules to include the new attributes.
None
Rodrigo Duarte Sousa <rodrigodsousa>
None
The new attributes should be documented.
None