-
Bug
-
Resolution: Done
-
Major
-
rhos-17.1.3, rhos-17.1.4
-
2
-
False
-
-
False
-
?
-
?
-
?
-
?
-
None
-
-
-
2
-
DFG Security: UC Sprint 100, DFG Security: UC Sprint 101, DFG Security: UC Sprint 102
-
Important
Description of problem:
An update to the way mod_auth_openidc in 2.4.x changes the way that it handles headers as well as the remote_id_attribute. This breaks our current implementation of OIDC federation, where the claim is now missing the fields necessary to correctly map the federated user. Fields containing underscores are being removed by Apache.
Version-Release number of selected component (if applicable):
17.1.3
How reproducible:
Always with our recommended federation configuration.
Steps to Reproduce:
1. Configure OSP to use OIDC federation
2. Attempt to login via the Horizon dashboard
3. Keystone will return a 403, unable to find the correct user_id field for mapping
Actual results:
Keystone will return a 403, enabling insecure_debug will show that the OIDC-preferred_username is missing
Expected results:
The user should be redirected to the Horizon dashboard after successfully authenticating.
Additional info:
The fix is to remove OIDCPassClaimsAs headers from keystones httpd configuration and to change the remote_id_attribute to OIDC-iss in the keystone configuration file.