<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hi Marek,<div><br></div><div>I tried with the auto-generated shibboleth2.xml, just added the application override attribute, now im stuck with looping issue,</div><div><br></div><div>when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth for the first time it is prompting for username and password once provided it goes on loop.</div><div><br></div><div>i could see session generated <a href="https://115.112.68.53:5000/Shibboleth.sso/Session" target="_blank" style="font-size: 12pt;">https://115.112.68.53:5000/Shibboleth.sso/Session</a></div><div><pre><u>Miscellaneous</u>
<strong>Client Address:</strong> 121.243.33.212
<strong>Identity Provider:</strong> https://idp.testshib.org/idp/shibboleth
<strong>SSO Protocol:</strong> urn:oasis:names:tc:SAML:2.0:protocol
<strong>Authentication Time:</strong> 2015-03-04T06:44:41.625Z
<strong>Authentication Context Class:</strong> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
<strong>Authentication Context Decl:</strong> (none)
<strong>Session Expiration (barring inactivity):</strong> 479 minute(s)

<u>Attributes</u>
<strong>affiliation</strong>: Member@testshib.org;Staff@testshib.org
<strong>entitlement</strong>: urn:mace:dir:entitlement:common-lib-terms
<strong>eppn</strong>: myself@testshib.org
<strong>persistent-id</strong>: https://idp.testshib.org/idp/shibboleth!https://115.112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=
<strong>unscoped-affiliation</strong>: Member;Staff</pre><pre><span style="font-family: Calibri, sans-serif; font-size: 12pt;">here are my config files,</span></pre></div><div><div><SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  clockSkew="1800"></div><div>    <ApplicationDefaults entityID="https://115.112.68.53/shibboleth" REMOTE_USER="eppn"></div><div><span style="font-size: 12pt;">        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" handlerSSL="true" cookieProps="; path=/; secure"></span></div><div><br></div><div><span style="font-size: 12pt;">            <SSO entityID="https://idp.testshib.org/idp/shibboleth"></span></div><div>                SAML2 SAML1</div><div>            </SSO></div><div><br></div><div>            <Logout>SAML2 Local</Logout></div><div><br></div><div>            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/></div><div><span style="font-size: 12pt;">            <Handler type="Status" Location="/Status"/></span></div><div><span style="font-size: 12pt;">            <Handler type="Session" Location="/Session" showAttributeValues="true"/></span></div><div><span style="font-size: 12pt;">            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/></span></div><div>        </Sessions></div><div><br></div><div><span style="font-size: 12pt;">        <Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/></span></div><div><span style="font-size: 12pt;">        <MetadataProvider type="XML" uri="https://www.testshib.org/metadata/testshib-providers.xml"</span></div><div>             backingFilePath="/tmp/testshib-two-idp-metadata.xml"</div><div>             reloadInterval="180000" /></div><div><span style="font-size: 12pt;">        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/></span></div><div>        <AttributeResolver type="Query" subjectMatch="true"/></div><div>        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/></div></div><div><div><span style="font-size: 12pt;">        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/></span></div><div><span style="font-size: 12pt;">        <ApplicationOverride id="idp_2" entityID="https://115.112.68.53/shibboleth"></span></div><div>           <!--Sessions lifetime="28800" timeout="3600" checkAddress="false"</div><div>           relayState="ss:mem" handlerSSL="false"--></div><div>           <Sessions lifetime="28800" timeout="3600" checkAddress="false"</div><div>           relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure"></div><div><br></div><div><span style="font-size: 12pt;">            <!-- Triggers a login request directly to the TestShib IdP. --></span></div><div>            <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true"></div><div>                SAML2 SAML1</div><div>            </SSO></div><div><span style="font-size: 12pt;">            <Logout>SAML2 Local</Logout></span></div><div>         </Sessions></div><div> <span style="font-size: 12pt;">           <MetadataProvider type="XML" uri="https://www.testshib.org/metadata/testshib-providers.xml"</span></div><div>             backingFilePath="/tmp/testshib-two-idp-metadata.xml"</div><div>             reloadInterval="180000" /></div><div><span style="font-size: 12pt;">        </ApplicationOverride></span></div><div><span style="font-size: 12pt;">    </ApplicationDefaults></span></div><div><span style="font-size: 12pt;">    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/></span></div><div><span style="font-size: 12pt;">    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/></span></div><div><div></SPConfig></div></div><div><br></div><div>keystone-httpd</div><div><div>WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10</div><div>#WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1</div><div>WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1</div><div><br></div><div><VirtualHost *:5000></div><div>    LogLevel  info</div><div>    ErrorLog  /var/log/keystone/keystone-apache-error.log</div><div>    CustomLog /var/log/keystone/ssl_access.log combined</div><div>    Options +FollowSymLinks</div><div><br></div><div>        SSLEngine on</div><div>        #SSLCertificateFile /etc/ssl/certs/mycert.pem</div><div>        #SSLCertificateKeyFile /etc/ssl/private/mycert.key</div><div>        SSLCertificateFile    /etc/apache2/ssl/server.crt</div><div>        SSLCertificateKeyFile /etc/apache2/ssl/server.key</div><div>        SSLVerifyClient optional</div><div>        SSLVerifyDepth 10</div><div>        SSLProtocol all -SSLv2</div><div>        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW</div><div>        SSLOptions +StdEnvVars +ExportCertData</div><div><br></div><div>    WSGIScriptAlias /  /var/www/cgi-bin/keystone/main</div><div>    WSGIProcessGroup keystone</div><div></VirtualHost></div><div><br></div><div><VirtualHost *:35357></div><div>    LogLevel  info</div><div>    ErrorLog  /var/log/keystone/keystone-apache-error.log</div><div>    CustomLog /var/log/keystone/ssl_access.log combined</div><div>    Options +FollowSymLinks</div><div><br></div><div>        SSLEngine on</div></div><div><div><br></div><div>        SSLEngine on</div><div>        #SSLCertificateFile /etc/ssl/certs/mycert.pem</div><div>        #SSLCertificateKeyFile /etc/ssl/private/mycert.key</div><div>        SSLCertificateFile    /etc/apache2/ssl/server.crt</div><div>        SSLCertificateKeyFile /etc/apache2/ssl/server.key</div><div>        SSLVerifyClient optional</div><div>        SSLVerifyDepth 10</div><div>        SSLProtocol all -SSLv2</div><div>        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW</div><div>        SSLOptions +StdEnvVars +ExportCertData</div><div><br></div><div>    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin</div><div>    WSGIProcessGroup keystone</div><div></VirtualHost></div></div><div><br></div><div>wsgi-keystone</div><div><div>WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main</div><div>WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin</div><div><br></div><div><Location "/keystone"></div><div># NSSRequireSSL</div><div>SSLRequireSSL</div><div>Authtype none</div><div></Location></div><div><br></div><div><Location /Shibboleth.sso></div><div>#    SetHandler shib</div><div>    Require all granted</div><div></Location></div><div><br></div><div><Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth></div><div>    ShibRequestSetting requireSession 1</div><div>    ShibRequestSetting applicationId idp_1</div><div>    AuthType shibboleth</div><div>    ShibRequireAll On</div><div>    ShibRequireSession On</div><div>    ShibExportAssertion Off</div><div>    Require valid-user</div><div></Location></div><div><br></div><div><Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth></div><div>    ShibRequestSetting requireSession 1</div><div>    ShibRequestSetting applicationId idp_2</div><div>    AuthType shibboleth</div><div>    ShibRequireAll On</div><div>    ShibRequireSession On</div><div>    ShibExportAssertion Off</div><div>    Require valid-user</div></div><div><div></Location></div></div><div><br></div><div>Regards,</div><div>Akshik</div><div><br><div>> Date: Mon, 2 Mar 2015 12:03:18 +0100<br>> From: marek.denis@cern.ch<br>> To: openstack-dev@lists.openstack.org<br>> Subject: Re: [openstack-dev] Need help in configuring keystone<br>> <br>> Akshik,<br>> <br>> When you are beginning an adventure with saml, shibboleth and so on, <br>> it's helpful to start with fetching auto-generated shibboleth2.xml file <br>> from testshib.org . This should cover most of your use-cases, at least <br>> in the testing environment.<br>> <br>> Marek<br>> <br>> <br>> <br>> __________________________________________________________________________<br>> OpenStack Development Mailing List (not for usage questions)<br>> Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<br></div></div></div>                                       </div></body>
</html>