
<html>

<head>

<style><!--

.hmmessage P

{

margin:0px;

padding:0px

}

body.hmmessage

{

font-size: 12pt;

font-family:Calibri

}

--></style></head>

<body class='hmmessage'><div dir='ltr'>Hi Steve,<div><br></div><div>here are the log details<br><div><br></div><div><div>==> /var/log/shibboleth/shibd.log <==</div><div>2015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.1</div><div>2015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.4</div><div>2015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.3</div><div>2015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.20</div><div>2015-03-04 14:36:05 INFO Shibboleth.SessionCache [2]: new session created: ID (_ee18a916d4e7e7adbc34f55c010695a4) IdP (https://idp.testshib.org/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212)</div><div><br></div><div>==> /var/log/keystone/keystone-apache-error.log <==</div><div>[Wed Mar 04 14:36:05 2015] [info] Subsequent (No.8) HTTPS request received for child 7 (server 10.1.193.250:5000)</div><div>[Wed Mar 04 14:36:09 2015] [info] Subsequent (No.9) HTTPS request received for child 7 (server 10.1.193.250:5000)</div><div><br></div><div>==> /var/log/shibboleth/shibd.log <==</div><div>2015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.1</div><div>2015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.4</div><div>2015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.3</div><div>2015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.20</div><div>2015-03-04 14:36:09 INFO Shibboleth.SessionCache [2]: new session created: ID (_10d6c414a9f198b6601b5d4f36a9057a) IdP (https://idp.testshib.org/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212)</div><div><br></div><div>==> /var/log/keystone/keystone-apache-error.log <==</div><div>[Wed Mar 04 14:36:09 2015] [info] Subsequent (No.10) HTTPS request received for child 7 (server 10.1.193.250:5000)</div><div>[Wed Mar 04 14:36:14 2015] [info] [client 121.243.33.212] (70007)The timeout specified has expired: SSL input filter read failed.</div><div>[Wed Mar 04 14:36:14 2015] [info] [client 121.243.33.212] Connection closed to child 7 with standard shutdown (server 10.1.193.250:5000)</div><div><br></div><br><div><hr id="stopSpelling">To: openstack-dev@lists.openstack.org<br>From: stevemar@ca.ibm.com<br>Date: Wed, 4 Mar 2015 03:04:52 -0500<br>Subject: Re: [openstack-dev] Need help in configuring keystone<br><br><tt><font size="2">What do the keystone logs indicate?</font></tt>

<br>

<br><tt><font size="2">Steve</font></tt>

<br>

<br><tt><font size="2">Akshik DBK <akshik@outlook.com> wrote on 03/04/2015

02:18:47 AM:<br>

<br>

> From: Akshik DBK <akshik@outlook.com></font></tt>

<br><tt><font size="2">> To: OpenStack Development Mailing List not for

usage questions <br>

> <openstack-dev@lists.openstack.org></font></tt>

<br><tt><font size="2">> Date: 03/04/2015 02:25 AM</font></tt>

<br><tt><font size="2">> Subject: Re: [openstack-dev] Need help in configuring

keystone</font></tt>

<br><tt><font size="2">> <br>

> Hi Marek,</font></tt>

<br><tt><font size="2">> <br>

> I tried with the auto-generated shibboleth2.xml, just added the <br>

> application override attribute, now im stuck with looping issue,</font></tt>

<br><tt><font size="2">> <br>

> when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/<br>

> saml2/auth for the first time it is prompting for username and <br>

> password once provided it goes on loop.</font></tt>

<br><tt><font size="2">> <br>

> i could see session generated </font></tt><a href="https://115.112.68.53:5000/" target="_blank"><tt><font size="2">https://115.112.68.53:5000/</font></tt></a><tt><font size="2"><br>

> Shibboleth.sso/Session</font></tt>

<br><tt><font size="2">> Miscellaneous<br>

> Client Address: 121.243.33.212<br>

> Identity Provider: </font></tt><a href="https://idp.testshib.org/idp/shibboleth" target="_blank"><tt><font size="2">https://idp.testshib.org/idp/shibboleth</font></tt></a><tt><font size="2"><br>

> SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol<br>

> Authentication Time: 2015-03-04T06:44:41.625Z<br>

> Authentication Context Class: urn:oasis:names:tc:SAML:2.<br>

> 0:ac:classes:PasswordProtectedTransport<br>

> Authentication Context Decl: (none)<br>

> Session Expiration (barring inactivity): 479 minute(s)<br>

> <br>

> Attributes<br>

> affiliation: Member@testshib.org;Staff@testshib.org<br>

> entitlement: urn:mace:dir:entitlement:common-lib-terms<br>

> eppn: myself@testshib.org<br>

> persistent-id: </font></tt><a href="https://idp.testshib.org/idp/shibboleth%21https://115" target="_blank"><tt><font size="2">https://idp.testshib.org/idp/shibboleth!https://115</font></tt></a><tt><font size="2">.<br>

> 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=<br>

> unscoped-affiliation: Member;Staff</font></tt>

<br><tt><font size="2">> here are my config files,</font></tt>

<br><tt><font size="2">> <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"

<br>

> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  clockSkew="1800"></font></tt>

<br><tt><font size="2">>     <ApplicationDefaults entityID="</font></tt><a href="https://115.112.68.53/shibboleth" target="_blank"><tt><font size="2">https://115.112.68.53/shibboleth</font></tt></a><tt><font size="2">"<br>

> REMOTE_USER="eppn"></font></tt>

<br><tt><font size="2">>         <Sessions lifetime="28800"

timeout="3600" <br>

> checkAddress="false" relayState="ss:mem" handlerSSL="true"

<br>

> handlerSSL="true" cookieProps="; path=/; secure"></font></tt>

<br><tt><font size="2">> <br>

>             <SSO entityID="</font></tt><a href="https://idp.testshib.org/idp/shibboleth" target="_blank"><tt><font size="2">https://idp.testshib.org/idp/shibboleth</font></tt></a><tt><font size="2">"></font></tt>

<br><tt><font size="2">>              

  SAML2 SAML1</font></tt>

<br><tt><font size="2">>             </SSO></font></tt>

<br><tt><font size="2">> <br>

>             <Logout>SAML2 Local</Logout></font></tt>

<br><tt><font size="2">> <br>

>             <Handler type="MetadataGenerator"

Location="/Metadata" <br>

> signing="false"/></font></tt>

<br><tt><font size="2">>             <Handler

type="Status" Location="/Status"/></font></tt>

<br><tt><font size="2">>             <Handler

type="Session" Location="/Session" <br>

> showAttributeValues="true"/></font></tt>

<br><tt><font size="2">>             <Handler

type="DiscoveryFeed" Location="/DiscoFeed"/></font></tt>

<br><tt><font size="2">>         </Sessions></font></tt>

<br><tt><font size="2">> <br>

>         <Errors supportContact="root@localhost"

logoLocation="/<br>

> shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/></font></tt>

<br><tt><font size="2">>         <MetadataProvider

type="XML" uri="</font></tt><a href="https://www.testshib.org/" target="_blank"><tt><font size="2">https://www.testshib.org/</font></tt></a><tt><font size="2"><br>

> metadata/testshib-providers.xml"</font></tt>

<br><tt><font size="2">>              backingFilePath="/tmp/testshib-two-idp-metadata.xml"</font></tt>

<br><tt><font size="2">>              reloadInterval="180000"

/></font></tt>

<br><tt><font size="2">>         <AttributeExtractor

type="XML" validate="true" <br>

> path="attribute-map.xml"/></font></tt>

<br><tt><font size="2">>         <AttributeResolver

type="Query" subjectMatch="true"/></font></tt>

<br><tt><font size="2">>         <AttributeFilter

type="XML" validate="true" path="attribute-<br>

> policy.xml"/></font></tt>

<br><tt><font size="2">>         <CredentialResolver

type="File" key="sp-key.pem" <br>

> certificate="sp-cert.pem"/></font></tt>

<br><tt><font size="2">>         <ApplicationOverride

id="idp_2" entityID="</font></tt><a href="https://115.112/" target="_blank"><tt><font size="2">https://115.112</font></tt></a><tt><font size="2">.<br>

> 68.53/shibboleth"></font></tt>

<br><tt><font size="2">>            <!--Sessions

lifetime="28800" timeout="3600" checkAddress="false"</font></tt>

<br><tt><font size="2">>            relayState="ss:mem"

handlerSSL="false"--></font></tt>

<br><tt><font size="2">>            <Sessions

lifetime="28800" timeout="3600" checkAddress="false"</font></tt>

<br><tt><font size="2">>            relayState="ss:mem"

handlerSSL="true" cookieProps="; <br>

> path=/; secure"></font></tt>

<br><tt><font size="2">> <br>

>             <!-- Triggers a login

request directly to the TestShib IdP. --></font></tt>

<br><tt><font size="2">>             <SSO

entityID="</font></tt><a href="https://idp.testshib.org/idp/shibboleth" target="_blank"><tt><font size="2">https://idp.testshib.org/idp/shibboleth</font></tt></a><tt><font size="2">"

<br>

> ECP="true"></font></tt>

<br><tt><font size="2">>              

  SAML2 SAML1</font></tt>

<br><tt><font size="2">>             </SSO></font></tt>

<br><tt><font size="2">>             <Logout>SAML2

Local</Logout></font></tt>

<br><tt><font size="2">>          </Sessions></font></tt>

<br><tt><font size="2">>             <MetadataProvider

type="XML" uri="https://<br>

> </font></tt><a href="https://www.testshib.org/metadata/testshib-providers.xml" target="_blank"><tt><font size="2">www.testshib.org/metadata/testshib-providers.xml</font></tt></a><tt><font size="2">"</font></tt>

<br><tt><font size="2">>              backingFilePath="/tmp/testshib-two-idp-metadata.xml"</font></tt>

<br><tt><font size="2">>              reloadInterval="180000"

/></font></tt>

<br><tt><font size="2">>         </ApplicationOverride></font></tt>

<br><tt><font size="2">>     </ApplicationDefaults></font></tt>

<br><tt><font size="2">>     <SecurityPolicyProvider type="XML"

validate="true" <br>

> path="security-policy.xml"/></font></tt>

<br><tt><font size="2">>     <ProtocolProvider type="XML"

validate="true" <br>

> reloadChanges="false" path="protocols.xml"/></font></tt>

<br><tt><font size="2">> </SPConfig></font></tt>

<br><tt><font size="2">> <br>

> keystone-httpd</font></tt>

<br><tt><font size="2">> WSGIDaemonProcess keystone user=keystone group=nogroup

processes=3 threads=10</font></tt>

<br><tt><font size="2">> #WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/<br>

> protocols/.*?/auth)$ /var/www/keystone/main/$1</font></tt>

<br><tt><font size="2">> WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/<br>

> protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1</font></tt>

<br><tt><font size="2">> <br>

> <VirtualHost *:5000></font></tt>

<br><tt><font size="2">>     LogLevel  info</font></tt>

<br><tt><font size="2">>     ErrorLog  /var/log/keystone/keystone-apache-error.log</font></tt>

<br><tt><font size="2">>     CustomLog /var/log/keystone/ssl_access.log

combined</font></tt>

<br><tt><font size="2">>     Options +FollowSymLinks</font></tt>

<br><tt><font size="2">> <br>

>         SSLEngine on</font></tt>

<br><tt><font size="2">>         #SSLCertificateFile

/etc/ssl/certs/mycert.pem</font></tt>

<br><tt><font size="2">>         #SSLCertificateKeyFile

/etc/ssl/private/mycert.key</font></tt>

<br><tt><font size="2">>         SSLCertificateFile

   /etc/apache2/ssl/server.crt</font></tt>

<br><tt><font size="2">>         SSLCertificateKeyFile

/etc/apache2/ssl/server.key</font></tt>

<br><tt><font size="2">>         SSLVerifyClient optional</font></tt>

<br><tt><font size="2">>         SSLVerifyDepth 10</font></tt>

<br><tt><font size="2">>         SSLProtocol all -SSLv2</font></tt>

<br><tt><font size="2">>         SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW</font></tt>

<br><tt><font size="2">>         SSLOptions +StdEnvVars

+ExportCertData</font></tt>

<br><tt><font size="2">> <br>

>     WSGIScriptAlias /  /var/www/cgi-bin/keystone/main</font></tt>

<br><tt><font size="2">>     WSGIProcessGroup keystone</font></tt>

<br><tt><font size="2">> </VirtualHost></font></tt>

<br><tt><font size="2">> <br>

> <VirtualHost *:35357></font></tt>

<br><tt><font size="2">>     LogLevel  info</font></tt>

<br><tt><font size="2">>     ErrorLog  /var/log/keystone/keystone-apache-error.log</font></tt>

<br><tt><font size="2">>     CustomLog /var/log/keystone/ssl_access.log

combined</font></tt>

<br><tt><font size="2">>     Options +FollowSymLinks</font></tt>

<br><tt><font size="2">> <br>

>         SSLEngine on</font></tt>

<br><tt><font size="2">> <br>

>         SSLEngine on</font></tt>

<br><tt><font size="2">>         #SSLCertificateFile

/etc/ssl/certs/mycert.pem</font></tt>

<br><tt><font size="2">>         #SSLCertificateKeyFile

/etc/ssl/private/mycert.key</font></tt>

<br><tt><font size="2">>         SSLCertificateFile

   /etc/apache2/ssl/server.crt</font></tt>

<br><tt><font size="2">>         SSLCertificateKeyFile

/etc/apache2/ssl/server.key</font></tt>

<br><tt><font size="2">>         SSLVerifyClient optional</font></tt>

<br><tt><font size="2">>         SSLVerifyDepth 10</font></tt>

<br><tt><font size="2">>         SSLProtocol all -SSLv2</font></tt>

<br><tt><font size="2">>         SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW</font></tt>

<br><tt><font size="2">>         SSLOptions +StdEnvVars

+ExportCertData</font></tt>

<br><tt><font size="2">> <br>

>     WSGIScriptAlias / /var/www/cgi-bin/keystone/admin</font></tt>

<br><tt><font size="2">>     WSGIProcessGroup keystone</font></tt>

<br><tt><font size="2">> </VirtualHost></font></tt>

<br><tt><font size="2">> <br>

> wsgi-keystone</font></tt>

<br><tt><font size="2">> WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main</font></tt>

<br><tt><font size="2">> WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin</font></tt>

<br><tt><font size="2">> <br>

> <Location "/keystone"></font></tt>

<br><tt><font size="2">> # NSSRequireSSL</font></tt>

<br><tt><font size="2">> SSLRequireSSL</font></tt>

<br><tt><font size="2">> Authtype none</font></tt>

<br><tt><font size="2">> </Location></font></tt>

<br><tt><font size="2">> <br>

> <Location /Shibboleth.sso></font></tt>

<br><tt><font size="2">> #    SetHandler shib</font></tt>

<br><tt><font size="2">>     Require all granted</font></tt>

<br><tt><font size="2">> </Location></font></tt>

<br><tt><font size="2">> <br>

> <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth></font></tt>

<br><tt><font size="2">>     ShibRequestSetting requireSession

1</font></tt>

<br><tt><font size="2">>     ShibRequestSetting applicationId

idp_1</font></tt>

<br><tt><font size="2">>     AuthType shibboleth</font></tt>

<br><tt><font size="2">>     ShibRequireAll On</font></tt>

<br><tt><font size="2">>     ShibRequireSession On</font></tt>

<br><tt><font size="2">>     ShibExportAssertion Off</font></tt>

<br><tt><font size="2">>     Require valid-user</font></tt>

<br><tt><font size="2">> </Location></font></tt>

<br><tt><font size="2">> <br>

> <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth></font></tt>

<br><tt><font size="2">>     ShibRequestSetting requireSession

1</font></tt>

<br><tt><font size="2">>     ShibRequestSetting applicationId

idp_2</font></tt>

<br><tt><font size="2">>     AuthType shibboleth</font></tt>

<br><tt><font size="2">>     ShibRequireAll On</font></tt>

<br><tt><font size="2">>     ShibRequireSession On</font></tt>

<br><tt><font size="2">>     ShibExportAssertion Off</font></tt>

<br><tt><font size="2">>     Require valid-user</font></tt>

<br><tt><font size="2">> </Location></font></tt>

<br><tt><font size="2">> <br>

> Regards,</font></tt>

<br><tt><font size="2">> Akshik</font></tt>

<br><tt><font size="2">> <br>

> > Date: Mon, 2 Mar 2015 12:03:18 +0100<br>

> > From: marek.denis@cern.ch<br>

> > To: openstack-dev@lists.openstack.org<br>

> > Subject: Re: [openstack-dev] Need help in configuring keystone<br>

> > <br>

> > Akshik,<br>

> > <br>

> > When you are beginning an adventure with saml, shibboleth and

so on, <br>

> > it's helpful to start with fetching auto-generated shibboleth2.xml

file <br>

> > from testshib.org . This should cover most of your use-cases,

at least <br>

> > in the testing environment.<br>

> > <br>

> > Marek<br>

> > <br>

> > <br>

> > <br>

> > __________________________________________________________________________<br>

> > OpenStack Development Mailing List (not for usage questions)<br>

> > Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br>

> > </font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><tt><font size="2">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size="2"><br>

> __________________________________________________________________________<br>

> OpenStack Development Mailing List (not for usage questions)<br>

> Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br>

> </font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank"><tt><font size="2">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size="2"><br>

</font></tt><br>__________________________________________________________________________

OpenStack Development Mailing List (not for usage questions)

Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</div></div></div>                                     </div></body>

</html>