WebSSO should use remote_id_attribute by protocol

WebSSO always use the remote_id_attribute from the
[federation] group. Fix the issue, by consuming the
protocol specific remote_id_attribute if available.

Change-Id: Icdc693965ec53e5ff8f1901af26c9232a20aef7e
Closes-Bug: #1441827
(cherry picked from commit 9b11d13856034e3a2cf6ab1f6ca80a6965818d17)

3 files changed, 25 insertions, 6 deletions

diff --git a/keystone/contrib/federation/controllers.py b/keystone/contrib/federation/controllers.py
index 7ffaad547..cdbba4162 100644
--- a/keystone/contrib/federation/controllers.py
+++ b/keystone/contrib/federation/controllers.py
@@ -268,7 +268,7 @@ class Auth(auth_controllers.Auth):
 
     def federated_sso_auth(self, context, protocol_id):
         try:
-            remote_id_name = CONF.federation.remote_id_attribute
+            remote_id_name = utils.get_remote_id_parameter(protocol_id)
             remote_id = context['environment'][remote_id_name]
         except KeyError:
             msg = _('Missing entity ID from environment')
diff --git a/keystone/contrib/federation/utils.py b/keystone/contrib/federation/utils.py
index afc4d42e8..6fca2143d 100644
--- a/keystone/contrib/federation/utils.py
+++ b/keystone/contrib/federation/utils.py
@@ -191,10 +191,7 @@ def validate_groups_cardinality(group_ids, mapping_id):
         raise exception.MissingGroups(mapping_id=mapping_id)
 
 
-def validate_idp(idp, protocol, assertion):
-    """Validate the IdP providing the assertion is registered for the mapping.
-    """
-
+def get_remote_id_parameter(protocol):
     # NOTE(marco-fargetta): Since we support any protocol ID, we attempt to
     # retrieve the remote_id_attribute of the protocol ID. If it's not
     # registered in the config, then register the option and try again.
@@ -210,10 +207,19 @@ def validate_idp(idp, protocol, assertion):
         except AttributeError:
             pass
     if not remote_id_parameter:
-        LOG.debug('Cannot find "remote_id_attibute" in configuration '
+        LOG.debug('Cannot find "remote_id_attribute" in configuration '
                   'group %s. Trying default location in '
                   'group federation.', protocol)
         remote_id_parameter = CONF.federation.remote_id_attribute
+
+    return remote_id_parameter
+
+
+def validate_idp(idp, protocol, assertion):
+    """Validate the IdP providing the assertion is registered for the mapping.
+    """
+
+    remote_id_parameter = get_remote_id_parameter(protocol)
     if not remote_id_parameter or not idp['remote_ids']:
         LOG.debug('Impossible to identify the IdP %s ', idp['id'])
         # If nothing is defined, the administrator may want to
diff --git a/keystone/tests/unit/test_v3_federation.py b/keystone/tests/unit/test_v3_federation.py
index 2207f3500..c1a4a677a 100644
--- a/keystone/tests/unit/test_v3_federation.py
+++ b/keystone/tests/unit/test_v3_federation.py
@@ -3678,6 +3678,7 @@ class WebSSOTests(FederatedTokenTests):
     SSO_TEMPLATE_PATH = os.path.join(core.dirs.etc(), SSO_TEMPLATE_NAME)
     TRUSTED_DASHBOARD = 'http://horizon.com'
     ORIGIN = urllib.parse.quote_plus(TRUSTED_DASHBOARD)
+    PROTOCOL_REMOTE_ID_ATTR = uuid.uuid4().hex
 
     def setUp(self):
         super(WebSSOTests, self).setUp()
@@ -3705,6 +3706,18 @@ class WebSSOTests(FederatedTokenTests):
         resp = self.api.federated_sso_auth(context, self.PROTOCOL)
         self.assertIn(self.TRUSTED_DASHBOARD, resp.body)
 
+    def test_federated_sso_auth_with_protocol_specific_remote_id(self):
+        self.config_fixture.config(
+            group=self.PROTOCOL,
+            remote_id_attribute=self.PROTOCOL_REMOTE_ID_ATTR)
+
+        environment = {self.PROTOCOL_REMOTE_ID_ATTR: self.REMOTE_IDS[0]}
+        context = {'environment': environment}
+        query_string = {'origin': self.ORIGIN}
+        self._inject_assertion(context, 'EMPLOYEE_ASSERTION', query_string)
+        resp = self.api.federated_sso_auth(context, self.PROTOCOL)
+        self.assertIn(self.TRUSTED_DASHBOARD, resp.body)
+
     def test_federated_sso_auth_bad_remote_id(self):
         environment = {self.REMOTE_ID_ATTR: self.IDP}
         context = {'environment': environment}