[openstack-dev] Need help in configuring keystone
Marco Fargetta
Marco.Fargetta at ct.infn.it
Fri Feb 27 14:12:39 UTC 2015
Hi Akshik,
the metadata error is in your SP, if the error was on testshib you
should not be redirected back after the login. Maybe there is a configuration
problem with shibboleth. Try to restart the service and look at shibboleth logs.
Check also the metadata of testshib are downloaded correctly because from the error
it seems you have not the metadata of testshib.
Cheers,
Marco
On Fri, Feb 27, 2015 at 06:39:30PM +0530, Akshik DBK wrote:
> Hi Marek ,
> I've registered with testshib, this is my keystone-apache-error.log log i get [error] [client 121.243.33.212] No MetadataProvider available., referer: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
> From: akshik at outlook.com
> To: openstack-dev at lists.openstack.org
> Date: Fri, 27 Feb 2015 15:56:57 +0530
> Subject: [openstack-dev] Need help in configuring keystone
>
>
>
>
> Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu 12.04 with Icehouse,im following http://docs.openstack.org/developer/k...when im trying to configure keystone with two idp,when i access https://MYSERVER:5000/v3/OS-FEDERATIO...it gets redirected to testshib.org , it prompts for username and password when the same is given im gettingshibsp::ConfigurationException at ( https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.here is my shibboleth2.xml content<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> clockSkew="180">
>
> <ApplicationDefaults entityID="https://MYSERVER:5000/Shibboleth">
> <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
> <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
> SAML2 SAML1
> </SSO>
>
> <Logout>SAML2 Local</Logout>
>
> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
> <Handler type="Status" Location="/Status" />
> <Handler type="Session" Location="/Session" showAttributeValues="false"/>
> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
> </Sessions>
>
> <Errors supportContact="root at localhost"
> logoLocation="/shibboleth-sp/logo.jpg"
> styleSheet="/shibboleth-sp/main.css"/>
>
> <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
> <AttributeResolver type="Query" subjectMatch="true"/>
> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
> <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
>
> <ApplicationOverride id="idp_1" entityID="https://MYSERVER:5000/Shibboleth">
>
> <Sessions lifetime="28800" timeout="3600" checkAddress="false"
> relayState="ss:mem" handlerSSL="false">
> <SSO entityID="https://portal4.mss.internalidp.com/idp/shibboleth" ECP="true">
> SAML2 SAML1
> </SSO>
> <Logout>SAML2 Local</Logout>
> </Sessions>
>
> <MetadataProvider type="XML" uri="https://portal4.mss.internalidp.com/idp/shibboleth"
> backingFilePath="/tmp/tata.xml" reloadInterval="180000" />
> </ApplicationOverride>
>
> <ApplicationOverride id="idp_2" entityID="https://MYSERVER:5000/Shibboleth">
> <Sessions lifetime="28800" timeout="3600" checkAddress="false"
> relayState="ss:mem" handlerSSL="false">
> <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
> SAML2 SAML1
> </SSO>
>
> <Logout>SAML2 Local</Logout>
> </Sessions>
>
> <MetadataProvider type="XML" uri="https://idp.testshib.org/idp/shibboleth"
> backingFilePath="/tmp/testshib.xml" reloadInterval="180000"/>
> </ApplicationOverride>
> </ApplicationDefaults>
>
> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
> </SPConfig>here is my wsgi-keystoneWSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main
> WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin
>
> <Location "/keystone">
> # NSSRequireSSL
> SSLRequireSSL
> Authtype none
> </Location>
>
> <Location /Shibboleth.sso>
> SetHandler shib
> </Location>
>
> <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
> ShibRequestSetting requireSession 1
> ShibRequestSetting applicationId idp_1
> AuthType shibboleth
> ShibRequireAll On
> ShibRequireSession On
> ShibExportAssertion Off
> Require valid-user
> </Location>
>
> <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
> ShibRequestSetting requireSession 1
> ShibRequestSetting applicationId idp_2
> AuthType shibboleth
> ShibRequireAll On
> ShibRequireSession On
> ShibExportAssertion Off
> Require valid-user
> </Location>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5483 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150227/4378256e/attachment.bin>
More information about the OpenStack-dev
mailing list