[openstack-dev] Need help in configuring keystone
Steve Martinelli
stevemar at ca.ibm.com
Wed Mar 4 08:04:52 UTC 2015
What do the keystone logs indicate?
Steve
Akshik DBK <akshik at outlook.com> wrote on 03/04/2015 02:18:47 AM:
> From: Akshik DBK <akshik at outlook.com>
> To: OpenStack Development Mailing List not for usage questions
> <openstack-dev at lists.openstack.org>
> Date: 03/04/2015 02:25 AM
> Subject: Re: [openstack-dev] Need help in configuring keystone
>
> Hi Marek,
>
> I tried with the auto-generated shibboleth2.xml, just added the
> application override attribute, now im stuck with looping issue,
>
> when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/
> saml2/auth for the first time it is prompting for username and
> password once provided it goes on loop.
>
> i could see session generated https://115.112.68.53:5000/
> Shibboleth.sso/Session
> Miscellaneous
> Client Address: 121.243.33.212
> Identity Provider: https://idp.testshib.org/idp/shibboleth
> SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Authentication Time: 2015-03-04T06:44:41.625Z
> Authentication Context Class: urn:oasis:names:tc:SAML:2.
> 0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
> Session Expiration (barring inactivity): 479 minute(s)
>
> Attributes
> affiliation: Member at testshib.org;Staff at testshib.org
> entitlement: urn:mace:dir:entitlement:common-lib-terms
> eppn: myself at testshib.org
> persistent-id: https://idp.testshib.org/idp/shibboleth!https://115.
> 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=
> unscoped-affiliation: Member;Staff
> here are my config files,
> <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800">
> <ApplicationDefaults entityID="https://115.112.68.53/shibboleth"
> REMOTE_USER="eppn">
> <Sessions lifetime="28800" timeout="3600"
> checkAddress="false" relayState="ss:mem" handlerSSL="true"
> handlerSSL="true" cookieProps="; path=/; secure">
>
> <SSO entityID="https://idp.testshib.org/idp/shibboleth">
> SAML2 SAML1
> </SSO>
>
> <Logout>SAML2 Local</Logout>
>
> <Handler type="MetadataGenerator" Location="/Metadata"
> signing="false"/>
> <Handler type="Status" Location="/Status"/>
> <Handler type="Session" Location="/Session"
> showAttributeValues="true"/>
> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
> </Sessions>
>
> <Errors supportContact="root at localhost" logoLocation="/
> shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
> <MetadataProvider type="XML" uri="https://www.testshib.org/
> metadata/testshib-providers.xml"
> backingFilePath="/tmp/testshib-two-idp-metadata.xml"
> reloadInterval="180000" />
> <AttributeExtractor type="XML" validate="true"
> path="attribute-map.xml"/>
> <AttributeResolver type="Query" subjectMatch="true"/>
> <AttributeFilter type="XML" validate="true" path="attribute-
> policy.xml"/>
> <CredentialResolver type="File" key="sp-key.pem"
> certificate="sp-cert.pem"/>
> <ApplicationOverride id="idp_2" entityID="https://115.112.
> 68.53/shibboleth">
> <!--Sessions lifetime="28800" timeout="3600"
checkAddress="false"
> relayState="ss:mem" handlerSSL="false"-->
> <Sessions lifetime="28800" timeout="3600"
checkAddress="false"
> relayState="ss:mem" handlerSSL="true" cookieProps=";
> path=/; secure">
>
> <!-- Triggers a login request directly to the TestShib IdP.
-->
> <SSO entityID="https://idp.testshib.org/idp/shibboleth"
> ECP="true">
> SAML2 SAML1
> </SSO>
> <Logout>SAML2 Local</Logout>
> </Sessions>
> <MetadataProvider type="XML" uri="https://
> www.testshib.org/metadata/testshib-providers.xml"
> backingFilePath="/tmp/testshib-two-idp-metadata.xml"
> reloadInterval="180000" />
> </ApplicationOverride>
> </ApplicationDefaults>
> <SecurityPolicyProvider type="XML" validate="true"
> path="security-policy.xml"/>
> <ProtocolProvider type="XML" validate="true"
> reloadChanges="false" path="protocols.xml"/>
> </SPConfig>
>
> keystone-httpd
> WSGIDaemonProcess keystone user=keystone group=nogroup processes=3
threads=10
> #WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/
> protocols/.*?/auth)$ /var/www/keystone/main/$1
> WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/
> protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
>
> <VirtualHost *:5000>
> LogLevel info
> ErrorLog /var/log/keystone/keystone-apache-error.log
> CustomLog /var/log/keystone/ssl_access.log combined
> Options +FollowSymLinks
>
> SSLEngine on
> #SSLCertificateFile /etc/ssl/certs/mycert.pem
> #SSLCertificateKeyFile /etc/ssl/private/mycert.key
> SSLCertificateFile /etc/apache2/ssl/server.crt
> SSLCertificateKeyFile /etc/apache2/ssl/server.key
> SSLVerifyClient optional
> SSLVerifyDepth 10
> SSLProtocol all -SSLv2
> SSLCipherSuite
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLOptions +StdEnvVars +ExportCertData
>
> WSGIScriptAlias / /var/www/cgi-bin/keystone/main
> WSGIProcessGroup keystone
> </VirtualHost>
>
> <VirtualHost *:35357>
> LogLevel info
> ErrorLog /var/log/keystone/keystone-apache-error.log
> CustomLog /var/log/keystone/ssl_access.log combined
> Options +FollowSymLinks
>
> SSLEngine on
>
> SSLEngine on
> #SSLCertificateFile /etc/ssl/certs/mycert.pem
> #SSLCertificateKeyFile /etc/ssl/private/mycert.key
> SSLCertificateFile /etc/apache2/ssl/server.crt
> SSLCertificateKeyFile /etc/apache2/ssl/server.key
> SSLVerifyClient optional
> SSLVerifyDepth 10
> SSLProtocol all -SSLv2
> SSLCipherSuite
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLOptions +StdEnvVars +ExportCertData
>
> WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
> WSGIProcessGroup keystone
> </VirtualHost>
>
> wsgi-keystone
> WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main
> WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin
>
> <Location "/keystone">
> # NSSRequireSSL
> SSLRequireSSL
> Authtype none
> </Location>
>
> <Location /Shibboleth.sso>
> # SetHandler shib
> Require all granted
> </Location>
>
> <Location
/v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
> ShibRequestSetting requireSession 1
> ShibRequestSetting applicationId idp_1
> AuthType shibboleth
> ShibRequireAll On
> ShibRequireSession On
> ShibExportAssertion Off
> Require valid-user
> </Location>
>
> <Location
/v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
> ShibRequestSetting requireSession 1
> ShibRequestSetting applicationId idp_2
> AuthType shibboleth
> ShibRequireAll On
> ShibRequireSession On
> ShibExportAssertion Off
> Require valid-user
> </Location>
>
> Regards,
> Akshik
>
> > Date: Mon, 2 Mar 2015 12:03:18 +0100
> > From: marek.denis at cern.ch
> > To: openstack-dev at lists.openstack.org
> > Subject: Re: [openstack-dev] Need help in configuring keystone
> >
> > Akshik,
> >
> > When you are beginning an adventure with saml, shibboleth and so on,
> > it's helpful to start with fetching auto-generated shibboleth2.xml
file
> > from testshib.org . This should cover most of your use-cases, at least
> > in the testing environment.
> >
> > Marek
> >
> >
> >
> >
__________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe:
OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150304/f500e537/attachment.html>
More information about the OpenStack-dev
mailing list