[openstack-dev] Need help in configuring keystone

Akshik DBK akshik at outlook.com
Sat Feb 28 16:05:23 UTC 2015 



Hi Marco, did you get a chance to look at the logs,
Regards,Akshik

From: akshik at outlook.com
To: openstack-dev at lists.openstack.org
Date: Fri, 27 Feb 2015 22:50:47 +0530
Subject: Re: [openstack-dev] Need help in configuring keystone




Hi Marco,
Thanks for responding, Ive cleared the log file and have restarted the shibd service.
the metadata file got created, i've attached the log file and metadata file as well.
Regards,Akshik

Date: Fri, 27 Feb 2015 15:12:39 +0100
From: Marco.Fargetta at ct.infn.it
To: openstack-dev at lists.openstack.org
Subject: Re: [openstack-dev] Need help in configuring keystone

Hi Akshik,
 
the metadata error is in your SP, if the error was on testshib you
should not be redirected back after the login. Maybe there is a configuration
problem with shibboleth. Try to restart the service and look at shibboleth logs.
Check also the metadata of testshib are downloaded correctly because from the error
it seems you have not the metadata of testshib.
 
Cheers,
Marco
 
On Fri, Feb 27, 2015 at 06:39:30PM +0530, Akshik DBK wrote:
> Hi Marek ,
> I've registered with testshib, this is my keystone-apache-error.log log i get [error] [client 121.243.33.212] No MetadataProvider available., referer: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
> From: akshik at outlook.com
> To: openstack-dev at lists.openstack.org
> Date: Fri, 27 Feb 2015 15:56:57 +0530
> Subject: [openstack-dev] Need help in configuring keystone
> 
> 
> 
> 
> Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu 12.04 with Icehouse,im following http://docs.openstack.org/developer/k...when im trying to configure keystone with two idp,when i access https://MYSERVER:5000/v3/OS-FEDERATIO...it gets redirected to testshib.org , it prompts for username and password when the same is given im gettingshibsp::ConfigurationException at ( https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.here is my shibboleth2.xml content<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
>     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
>     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
>     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>     clockSkew="180">
> 
>     <ApplicationDefaults entityID="https://MYSERVER:5000/Shibboleth">
>         <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
>             <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
>                 SAML2 SAML1
>             </SSO>
> 
>             <Logout>SAML2 Local</Logout>
> 
>             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
>             <Handler type="Status" Location="/Status" />
>             <Handler type="Session" Location="/Session" showAttributeValues="false"/>
>             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
>         </Sessions>
> 
>         <Errors supportContact="root at localhost"
>             logoLocation="/shibboleth-sp/logo.jpg"
>             styleSheet="/shibboleth-sp/main.css"/>
> 
>         <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
>         <AttributeResolver type="Query" subjectMatch="true"/>
>         <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
>         <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
> 
>         <ApplicationOverride id="idp_1" entityID="https://MYSERVER:5000/Shibboleth">
> 
>             <Sessions lifetime="28800" timeout="3600" checkAddress="false"
>             relayState="ss:mem" handlerSSL="false">
>                 <SSO entityID="https://portal4.mss.internalidp.com/idp/shibboleth" ECP="true">
>                     SAML2 SAML1
>                 </SSO>
>                 <Logout>SAML2 Local</Logout>
>             </Sessions>
> 
>             <MetadataProvider type="XML" uri="https://portal4.mss.internalidp.com/idp/shibboleth"
>              backingFilePath="/tmp/tata.xml" reloadInterval="180000" />
>         </ApplicationOverride>
> 
>         <ApplicationOverride id="idp_2" entityID="https://MYSERVER:5000/Shibboleth">
>             <Sessions lifetime="28800" timeout="3600" checkAddress="false"
>             relayState="ss:mem" handlerSSL="false">
>                 <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
>                     SAML2 SAML1
>                 </SSO>
> 
>                 <Logout>SAML2 Local</Logout>
>             </Sessions>
> 
>             <MetadataProvider type="XML" uri="https://idp.testshib.org/idp/shibboleth"  
>             backingFilePath="/tmp/testshib.xml" reloadInterval="180000"/>
>         </ApplicationOverride>
>     </ApplicationDefaults>
> 
>     <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
>     <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
> </SPConfig>here is my wsgi-keystoneWSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
> WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
> 
> <Location "/keystone">
> # NSSRequireSSL
> SSLRequireSSL
> Authtype none
> </Location>
> 
> <Location /Shibboleth.sso>
>     SetHandler shib
> </Location>
> 
> <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
>     ShibRequestSetting requireSession 1
>     ShibRequestSetting applicationId idp_1
>     AuthType shibboleth
>     ShibRequireAll On
>     ShibRequireSession On
>     ShibExportAssertion Off
>     Require valid-user
> </Location>
> 
> <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
>     ShibRequestSetting requireSession 1
>     ShibRequestSetting applicationId idp_2
>     AuthType shibboleth
>     ShibRequireAll On
>     ShibRequireSession On
>     ShibExportAssertion Off
>     Require valid-user
> </Location> 		 	   		  
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev 		 	   		  
 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 
 
 

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev 		 	   		  

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150228/37d3929d/attachment.html>

More information about the OpenStack-dev mailing list