[keystone] adfs SingleSignOn with CLI/API?

Colleen Murphy colleen at gazlene.net
Thu Feb 14 10:32:14 UTC 2019


On Wed, Feb 13, 2019, at 9:50 AM, Fabian Zimmermann wrote:
> Hi,
> 
> thanks for the fast answers.
> 
> I asked our ADFS Administrators if they could provide some logs to see 
> whats going wrong, but they are unable to deliver these.

I'm more interested in what you were seeing, both the output from the client and the output from the keystone server if you have access to it.

> 
> So I installed keycloak and switched to OpenID Connect.
> 
> Im (again) able to connect via Horizon SSO, but when I try to use 
> v3oidcpassword in the CLI Im running into
> 
> https://bugs.launchpad.net/python-openstackclient/+bug/1648580
> 
> I already added the suggested --os-client-secret without luck.
> Updating to latest python-versions..
> 
> pip install -U python-keystoneclient
> pip install -U python-openstackclient
> 
> didnt change anything.
> 
> Any ideas what to try next?

Unfortunately that seems to still be a valid bug that we'll need to address. You could try using the python keystoneauth library directly and see if the issue appears there[1][2].

[1] https://docs.openstack.org/keystoneauth/latest/using-sessions.html
[2] https://docs.openstack.org/keystoneauth/latest/plugin-options.html#v3oidcpassword

> 
> Offtopic:
> 
> Seems like
> 
> https://groups.google.com/forum/#!topic/mod_auth_openidc/qGE1DGQCTMY
> 
> is right. I had to change the RedirectURI to geht OpenIDConnect working 
> with Keystone. The sample config of
> 
> https://docs.openstack.org/keystone/rocky/advanced-topics/federation/websso.html
> 
> is *not working for me*

I found that too. The in-development documentation has already been fixed[3] but we didn't backport that to the Rocky documentation because it was part of a large series of rewrites and reorgs.

[3] https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configure-mod-auth-openidc

> 
>   Fabian
> 

Colleen



More information about the openstack-discuss mailing list