[Openstack] Keystone and identity federation
Marek Denis
marek.denis at cern.ch
Tue Mar 1 15:26:14 UTC 2016
Hi,
On 01.03.2016 10:31, thomas.duval at orange.com wrote:
> Hello Everybody,
>
> I try to configure identity federation between 2 Keystones and I have
> some difficulties. I mainly followed this guide
> http://docs.openstack.org/developer/keystone/configure_federation.html
> <https://exchange-eme3.itn.ftgroup/owa/redir.aspx?REF=T9Q2NhKlOJYyKta69Mjleg2nx0duNoKaJpdWYye5liRiZs0WtEHTCAFodHRwOi8vZG9jcy5vcGVuc3RhY2sub3JnL2RldmVsb3Blci9rZXlzdG9uZS9jb25maWd1cmVfZmVkZXJhdGlvbi5odG1s>
> and when I want to test the federated authentication on the Service
> Provider (GET
> /v3/OS-FEDERATION/identity_providers/master/protocols/saml2/auth), I
> have the following response :
>
> Error 500
> Unable to locate metadata for identity provider
> <http://idp/idp/shibboleth
> <https://exchange-eme3.itn.ftgroup/owa/redir.aspx?REF=vo4Mc6JYAdVMJEJHzj2xytyuoUXIFN-Ncj0VpdqxDEtiZs0WtEHTCAFodHRwOi8vaWRwL2lkcC9zaGliYm9sZXRo>>
>
> The only error in keystone.log is:
>
> Unable to locate metadata for identity provider
> (http://idp/idp/shibboleth)
>
> I have the following warning in shibd.log:
>
> WARN Shibboleth.SessionInitiator.SAML2 [1]: unable to locate
> metadata for provider (http://idp/idp/shibboleth)
>
> Here is the configuration of Shibboleth:
>
> <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> clockSkew="180">
>
> <ApplicationDefaults entityID="http://sp/shibboleth">
>
> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
> checkAddress="false" handlerSSL="false"
> cookieProps="http">
>
> <SSO entityID="http://idp/idp/shibboleth" ECP="true">
> SAML2 SAML1
> </SSO>
>
> <Logout>SAML2 Local</Logout>
>
> <Handler type="MetadataGenerator" Location="/Metadata"
> signing="false"/>
>
> <Handler type="Status" Location="/Status"
> acl="127.0.0.1 ::1"/>
>
> <Handler type="Session" Location="/Session"
> showAttributeValues="false"/>
>
> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
> </Sessions>
>
> <Errors supportContact="root at localhost"
> helpLocation="/about.html"
> styleSheet="/shibboleth-sp/main.css"/>
>
> <MetadataProvider type="XML"
> uri="http://192.168.52.10/Shibboleth.sso/Metadata"
> backingFilePath="/var/cache/shibboleth/idp.xml" reloadInterval="7200">
> </MetadataProvider>
>
What if you try to set IdP FQDN here instead of IP address?
Something like http://idp/idp/Shibboleth.sso/Metadata
Also, make sure that this URI is reachable for your Service Provider
> <MetadataProvider type="XML" file="IDP.xml"/>
>
> <AttributeExtractor type="XML" validate="true"
> reloadChanges="false" path="attribute-map.xml"/>
>
> <AttributeResolver type="Query" subjectMatch="true"/>
>
> <AttributeFilter type="XML" validate="true"
> path="attribute-policy.xml"/>
>
> <CredentialResolver type="File" key="sp-key.pem"
> certificate="sp-cert.pem"/>
>
> <ApplicationOverride id="master"
> entityID="http://idp/shibboleth">
> <Sessions lifetime="28800" timeout="3600"
> checkAddress="false"
> relayState="ss:mem" handlerSSL="false">
>
> <SSO entityID="https://idp/idp/shibboleth" ECP="true">
> SAML2 SAML1
> </SSO>
>
> <Logout>SAML2 Local</Logout>
> </Sessions>
>
> <MetadataProvider type="XML"
> uri="http://192.168.52.10/Shibboleth.sso/Metadata"
> backingFilePath="/var/cache/shibboleth/idp.xml"
> reloadInterval="180000" />
>
> </ApplicationOverride>
>
I m not sure if you need this <ApplicationOverride> object.
> </ApplicationDefaults>
>
> <SecurityPolicyProvider type="XML" validate="true"
> path="security-policy.xml"/>
>
> <ProtocolProvider type="XML" validate="true"
> reloadChanges="false" path="protocols.xml"/>
>
> </SPConfig>
>
> The http://192.168.52.10/Shibboleth.sso/Metadata
> <https://exchange-eme3.itn.ftgroup/owa/redir.aspx?REF=jI0ANg_5uqXLZ2PC_HhAlkGcg1eJaTXtg7_2GCWwp8fDx88WtEHTCAFodHRwOi8vMTkyLjE2OC41Mi4xMC9TaGliYm9sZXRoLnNzby9NZXRhZGF0YQ..>
> url is working and give me the metadata of the Identity Provider. The
> file IDP.xmlwas retrieve from the same URL and put in the directory
> /etc/shibboleth.
>
> Both OpenStack servers was installed from DevStack (branch
> stable/liberty) on Ubuntutrusty.
>
> Does someone face the same problem?
>
> Cheers.
>
> --
> *Thomas*
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Marek Denis
[marek.denis at cern.ch]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160301/80f3386c/attachment.html>
More information about the Openstack
mailing list