<tt><font size=2>What do the keystone logs indicate?</font></tt>
<br>
<br><tt><font size=2>Steve</font></tt>
<br>
<br><tt><font size=2>Akshik DBK <akshik@outlook.com> wrote on 03/04/2015
02:18:47 AM:<br>
<br>
> From: Akshik DBK <akshik@outlook.com></font></tt>
<br><tt><font size=2>> To: OpenStack Development Mailing List not for
usage questions <br>
> <openstack-dev@lists.openstack.org></font></tt>
<br><tt><font size=2>> Date: 03/04/2015 02:25 AM</font></tt>
<br><tt><font size=2>> Subject: Re: [openstack-dev] Need help in configuring
keystone</font></tt>
<br><tt><font size=2>> <br>
> Hi Marek,</font></tt>
<br><tt><font size=2>> <br>
> I tried with the auto-generated shibboleth2.xml, just added the <br>
> application override attribute, now im stuck with looping issue,</font></tt>
<br><tt><font size=2>> <br>
> when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/<br>
> saml2/auth for the first time it is prompting for username and <br>
> password once provided it goes on loop.</font></tt>
<br><tt><font size=2>> <br>
> i could see session generated </font></tt><a href=https://115.112.68.53:5000/><tt><font size=2>https://115.112.68.53:5000/</font></tt></a><tt><font size=2><br>
> Shibboleth.sso/Session</font></tt>
<br><tt><font size=2>> Miscellaneous<br>
> Client Address: 121.243.33.212<br>
> Identity Provider: </font></tt><a href=https://idp.testshib.org/idp/shibboleth><tt><font size=2>https://idp.testshib.org/idp/shibboleth</font></tt></a><tt><font size=2><br>
> SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol<br>
> Authentication Time: 2015-03-04T06:44:41.625Z<br>
> Authentication Context Class: urn:oasis:names:tc:SAML:2.<br>
> 0:ac:classes:PasswordProtectedTransport<br>
> Authentication Context Decl: (none)<br>
> Session Expiration (barring inactivity): 479 minute(s)<br>
> <br>
> Attributes<br>
> affiliation: Member@testshib.org;Staff@testshib.org<br>
> entitlement: urn:mace:dir:entitlement:common-lib-terms<br>
> eppn: myself@testshib.org<br>
> persistent-id: </font></tt><a href=https://idp.testshib.org/idp/shibboleth!https://115><tt><font size=2>https://idp.testshib.org/idp/shibboleth!https://115</font></tt></a><tt><font size=2>.<br>
> 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=<br>
> unscoped-affiliation: Member;Staff</font></tt>
<br><tt><font size=2>> here are my config files,</font></tt>
<br><tt><font size=2>> <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
<br>
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800"></font></tt>
<br><tt><font size=2>> <ApplicationDefaults entityID="</font></tt><a href=https://115.112.68.53/shibboleth><tt><font size=2>https://115.112.68.53/shibboleth</font></tt></a><tt><font size=2>"<br>
> REMOTE_USER="eppn"></font></tt>
<br><tt><font size=2>> <Sessions lifetime="28800"
timeout="3600" <br>
> checkAddress="false" relayState="ss:mem" handlerSSL="true"
<br>
> handlerSSL="true" cookieProps="; path=/; secure"></font></tt>
<br><tt><font size=2>> <br>
> <SSO entityID="</font></tt><a href=https://idp.testshib.org/idp/shibboleth><tt><font size=2>https://idp.testshib.org/idp/shibboleth</font></tt></a><tt><font size=2>"></font></tt>
<br><tt><font size=2>>
SAML2 SAML1</font></tt>
<br><tt><font size=2>> </SSO></font></tt>
<br><tt><font size=2>> <br>
> <Logout>SAML2 Local</Logout></font></tt>
<br><tt><font size=2>> <br>
> <Handler type="MetadataGenerator"
Location="/Metadata" <br>
> signing="false"/></font></tt>
<br><tt><font size=2>> <Handler
type="Status" Location="/Status"/></font></tt>
<br><tt><font size=2>> <Handler
type="Session" Location="/Session" <br>
> showAttributeValues="true"/></font></tt>
<br><tt><font size=2>> <Handler
type="DiscoveryFeed" Location="/DiscoFeed"/></font></tt>
<br><tt><font size=2>> </Sessions></font></tt>
<br><tt><font size=2>> <br>
> <Errors supportContact="root@localhost"
logoLocation="/<br>
> shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/></font></tt>
<br><tt><font size=2>> <MetadataProvider
type="XML" uri="</font></tt><a href=https://www.testshib.org/><tt><font size=2>https://www.testshib.org/</font></tt></a><tt><font size=2><br>
> metadata/testshib-providers.xml"</font></tt>
<br><tt><font size=2>> backingFilePath="/tmp/testshib-two-idp-metadata.xml"</font></tt>
<br><tt><font size=2>> reloadInterval="180000"
/></font></tt>
<br><tt><font size=2>> <AttributeExtractor
type="XML" validate="true" <br>
> path="attribute-map.xml"/></font></tt>
<br><tt><font size=2>> <AttributeResolver
type="Query" subjectMatch="true"/></font></tt>
<br><tt><font size=2>> <AttributeFilter
type="XML" validate="true" path="attribute-<br>
> policy.xml"/></font></tt>
<br><tt><font size=2>> <CredentialResolver
type="File" key="sp-key.pem" <br>
> certificate="sp-cert.pem"/></font></tt>
<br><tt><font size=2>> <ApplicationOverride
id="idp_2" entityID="</font></tt><a href=https://115.112/><tt><font size=2>https://115.112</font></tt></a><tt><font size=2>.<br>
> 68.53/shibboleth"></font></tt>
<br><tt><font size=2>> <!--Sessions
lifetime="28800" timeout="3600" checkAddress="false"</font></tt>
<br><tt><font size=2>> relayState="ss:mem"
handlerSSL="false"--></font></tt>
<br><tt><font size=2>> <Sessions
lifetime="28800" timeout="3600" checkAddress="false"</font></tt>
<br><tt><font size=2>> relayState="ss:mem"
handlerSSL="true" cookieProps="; <br>
> path=/; secure"></font></tt>
<br><tt><font size=2>> <br>
> <!-- Triggers a login
request directly to the TestShib IdP. --></font></tt>
<br><tt><font size=2>> <SSO
entityID="</font></tt><a href=https://idp.testshib.org/idp/shibboleth><tt><font size=2>https://idp.testshib.org/idp/shibboleth</font></tt></a><tt><font size=2>"
<br>
> ECP="true"></font></tt>
<br><tt><font size=2>>
SAML2 SAML1</font></tt>
<br><tt><font size=2>> </SSO></font></tt>
<br><tt><font size=2>> <Logout>SAML2
Local</Logout></font></tt>
<br><tt><font size=2>> </Sessions></font></tt>
<br><tt><font size=2>> <MetadataProvider
type="XML" uri="https://<br>
> </font></tt><a href="www.testshib.org/metadata/testshib-providers.xml"><tt><font size=2>www.testshib.org/metadata/testshib-providers.xml</font></tt></a><tt><font size=2>"</font></tt>
<br><tt><font size=2>> backingFilePath="/tmp/testshib-two-idp-metadata.xml"</font></tt>
<br><tt><font size=2>> reloadInterval="180000"
/></font></tt>
<br><tt><font size=2>> </ApplicationOverride></font></tt>
<br><tt><font size=2>> </ApplicationDefaults></font></tt>
<br><tt><font size=2>> <SecurityPolicyProvider type="XML"
validate="true" <br>
> path="security-policy.xml"/></font></tt>
<br><tt><font size=2>> <ProtocolProvider type="XML"
validate="true" <br>
> reloadChanges="false" path="protocols.xml"/></font></tt>
<br><tt><font size=2>> </SPConfig></font></tt>
<br><tt><font size=2>> <br>
> keystone-httpd</font></tt>
<br><tt><font size=2>> WSGIDaemonProcess keystone user=keystone group=nogroup
processes=3 threads=10</font></tt>
<br><tt><font size=2>> #WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/<br>
> protocols/.*?/auth)$ /var/www/keystone/main/$1</font></tt>
<br><tt><font size=2>> WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/<br>
> protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1</font></tt>
<br><tt><font size=2>> <br>
> <VirtualHost *:5000></font></tt>
<br><tt><font size=2>> LogLevel info</font></tt>
<br><tt><font size=2>> ErrorLog /var/log/keystone/keystone-apache-error.log</font></tt>
<br><tt><font size=2>> CustomLog /var/log/keystone/ssl_access.log
combined</font></tt>
<br><tt><font size=2>> Options +FollowSymLinks</font></tt>
<br><tt><font size=2>> <br>
> SSLEngine on</font></tt>
<br><tt><font size=2>> #SSLCertificateFile
/etc/ssl/certs/mycert.pem</font></tt>
<br><tt><font size=2>> #SSLCertificateKeyFile
/etc/ssl/private/mycert.key</font></tt>
<br><tt><font size=2>> SSLCertificateFile
/etc/apache2/ssl/server.crt</font></tt>
<br><tt><font size=2>> SSLCertificateKeyFile
/etc/apache2/ssl/server.key</font></tt>
<br><tt><font size=2>> SSLVerifyClient optional</font></tt>
<br><tt><font size=2>> SSLVerifyDepth 10</font></tt>
<br><tt><font size=2>> SSLProtocol all -SSLv2</font></tt>
<br><tt><font size=2>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW</font></tt>
<br><tt><font size=2>> SSLOptions +StdEnvVars
+ExportCertData</font></tt>
<br><tt><font size=2>> <br>
> WSGIScriptAlias / /var/www/cgi-bin/keystone/main</font></tt>
<br><tt><font size=2>> WSGIProcessGroup keystone</font></tt>
<br><tt><font size=2>> </VirtualHost></font></tt>
<br><tt><font size=2>> <br>
> <VirtualHost *:35357></font></tt>
<br><tt><font size=2>> LogLevel info</font></tt>
<br><tt><font size=2>> ErrorLog /var/log/keystone/keystone-apache-error.log</font></tt>
<br><tt><font size=2>> CustomLog /var/log/keystone/ssl_access.log
combined</font></tt>
<br><tt><font size=2>> Options +FollowSymLinks</font></tt>
<br><tt><font size=2>> <br>
> SSLEngine on</font></tt>
<br><tt><font size=2>> <br>
> SSLEngine on</font></tt>
<br><tt><font size=2>> #SSLCertificateFile
/etc/ssl/certs/mycert.pem</font></tt>
<br><tt><font size=2>> #SSLCertificateKeyFile
/etc/ssl/private/mycert.key</font></tt>
<br><tt><font size=2>> SSLCertificateFile
/etc/apache2/ssl/server.crt</font></tt>
<br><tt><font size=2>> SSLCertificateKeyFile
/etc/apache2/ssl/server.key</font></tt>
<br><tt><font size=2>> SSLVerifyClient optional</font></tt>
<br><tt><font size=2>> SSLVerifyDepth 10</font></tt>
<br><tt><font size=2>> SSLProtocol all -SSLv2</font></tt>
<br><tt><font size=2>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW</font></tt>
<br><tt><font size=2>> SSLOptions +StdEnvVars
+ExportCertData</font></tt>
<br><tt><font size=2>> <br>
> WSGIScriptAlias / /var/www/cgi-bin/keystone/admin</font></tt>
<br><tt><font size=2>> WSGIProcessGroup keystone</font></tt>
<br><tt><font size=2>> </VirtualHost></font></tt>
<br><tt><font size=2>> <br>
> wsgi-keystone</font></tt>
<br><tt><font size=2>> WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main</font></tt>
<br><tt><font size=2>> WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin</font></tt>
<br><tt><font size=2>> <br>
> <Location "/keystone"></font></tt>
<br><tt><font size=2>> # NSSRequireSSL</font></tt>
<br><tt><font size=2>> SSLRequireSSL</font></tt>
<br><tt><font size=2>> Authtype none</font></tt>
<br><tt><font size=2>> </Location></font></tt>
<br><tt><font size=2>> <br>
> <Location /Shibboleth.sso></font></tt>
<br><tt><font size=2>> # SetHandler shib</font></tt>
<br><tt><font size=2>> Require all granted</font></tt>
<br><tt><font size=2>> </Location></font></tt>
<br><tt><font size=2>> <br>
> <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth></font></tt>
<br><tt><font size=2>> ShibRequestSetting requireSession
1</font></tt>
<br><tt><font size=2>> ShibRequestSetting applicationId
idp_1</font></tt>
<br><tt><font size=2>> AuthType shibboleth</font></tt>
<br><tt><font size=2>> ShibRequireAll On</font></tt>
<br><tt><font size=2>> ShibRequireSession On</font></tt>
<br><tt><font size=2>> ShibExportAssertion Off</font></tt>
<br><tt><font size=2>> Require valid-user</font></tt>
<br><tt><font size=2>> </Location></font></tt>
<br><tt><font size=2>> <br>
> <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth></font></tt>
<br><tt><font size=2>> ShibRequestSetting requireSession
1</font></tt>
<br><tt><font size=2>> ShibRequestSetting applicationId
idp_2</font></tt>
<br><tt><font size=2>> AuthType shibboleth</font></tt>
<br><tt><font size=2>> ShibRequireAll On</font></tt>
<br><tt><font size=2>> ShibRequireSession On</font></tt>
<br><tt><font size=2>> ShibExportAssertion Off</font></tt>
<br><tt><font size=2>> Require valid-user</font></tt>
<br><tt><font size=2>> </Location></font></tt>
<br><tt><font size=2>> <br>
> Regards,</font></tt>
<br><tt><font size=2>> Akshik</font></tt>
<br><tt><font size=2>> <br>
> > Date: Mon, 2 Mar 2015 12:03:18 +0100<br>
> > From: marek.denis@cern.ch<br>
> > To: openstack-dev@lists.openstack.org<br>
> > Subject: Re: [openstack-dev] Need help in configuring keystone<br>
> > <br>
> > Akshik,<br>
> > <br>
> > When you are beginning an adventure with saml, shibboleth and
so on, <br>
> > it's helpful to start with fetching auto-generated shibboleth2.xml
file <br>
> > from testshib.org . This should cover most of your use-cases,
at least <br>
> > in the testing environment.<br>
> > <br>
> > Marek<br>
> > <br>
> > <br>
> > <br>
> > __________________________________________________________________________<br>
> > OpenStack Development Mailing List (not for usage questions)<br>
> > Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br>
> > </font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><tt><font size=2>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size=2><br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
> Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe<br>
> </font></tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"><tt><font size=2>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</font></tt></a><tt><font size=2><br>
</font></tt>