Open Stack

Sergey,
It looks looks you have a problem in attributes mapping between your
Identity Provider and Service Provider.
Please give more information:

   - what Identity Provider do you use
   - what attributes your Idp is sending
   - what Service Provider do you use
   - what attributes your SP is expecting


On Tue, Jan 10, 2017 at 12:03 AM, Сергей Филатов <filatecs at gmail.com> wrote:

> Hi all!
> I got a problem with my keystone federation setup:
>
> When I’m logging into Horizon it redirects me into external Identity
> Provider, I fill in my credentials and everything is fine. Then I’m being
> redirected back to keystone and here’s where it fails:
> it goes into TokenlessAuthHelper class, tries to get_scope retrieving
> project,domain etc attributes from request.environ.
> And it fails coz I don’t have them in my environment variable: everything
> that comes from IdP is in HTTP_REFERER header, it looks like this:
>
> HTTP_REFERER:
> *https://idp.local/auth/realms/openstack/protocol/saml?SAMLRequest=hZJbawIxEIX%2FypJ3TVxdbYMKogiCLWIvD30pIY4Ymss2M2vbf99kpda%2B2KeF2TlzznfIGJWztZw1dPBbeG8Aqfh01qNsf0xYE70MCg1KrxygJC0fZndrWXaFrGOgoINlF5LrCoUIkUzwrFgtJux1cbsciZvZoN8TZb%2Bal6KsymrYGwxGpajKsmLFM0RM%2BxOW5EmE2MDKIylPaSR6o47odcTto7iRg6Gshi%2BsWCQG4xW1qgNRjZJzU6uuDVpZrhIqj6CsQx5qyLf0G%2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8bV1mhDrFiGqKHtdML2yiLk5JsEb45wnsx%2BushmjYP4APFoNDxt17%2B5zwlP6WUlhODHPndgbfC8DkhbwDonYdNxDi%2FbjuL06gWzS4ENfV2cckBqp0iN%2BeWV8el93Cf41WITEt9XpnPqn27yxOw6%2B3ZVUlQeTbJM1MnsY576p9QExQYYn54s%2F77C6Tc%3D&RelayState=http%3A%2F%2F192.168.56.102%2Fidentity%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fopenstack.local%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=NmG9oPBMKYc1Ma%2FZI21sWzfW1au5xTbJnuuDpnxPWCGjNXfVN0T2jje1ffcJHGX4aF4zK9SLZs2j0jKFRH3jnzgtLGwvl%2Bxwe3OPzjXltdE9JvMOMlPxazaI8Fb0JZ0pzLS6LnlY5QbA3FesCNoWObKUSsPzL3WuKPoCOwtI8Yd7zdK22pZWWcRvtbKkZuDTLLTtj81vh0oxCpAISs0QQ8CXRNYFto5KkMYZxGIBUPMvq9RDH0RIfXho4HFkdwf0wBCaTt5Vn77HxuYIW%2FGnY0DnAL0DRyQpNW%2BdH9de4QdEugUep8QejdMiQSqb4gWzuOFlKGEtpliV39beLxNCVg%3D%3D
> <https://idp.local/auth/realms/openstack/protocol/saml?SAMLRequest=hZJbawIxEIX%2FypJ3TVxdbYMKogiCLWIvD30pIY4Ymss2M2vbf99kpda%2B2KeF2TlzznfIGJWztZw1dPBbeG8Aqfh01qNsf0xYE70MCg1KrxygJC0fZndrWXaFrGOgoINlF5LrCoUIkUzwrFgtJux1cbsciZvZoN8TZb%2Bal6KsymrYGwxGpajKsmLFM0RM%2BxOW5EmE2MDKIylPaSR6o47odcTto7iRg6Gshi%2BsWCQG4xW1qgNRjZJzU6uuDVpZrhIqj6CsQx5qyLf0G%2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8bV1mhDrFiGqKHtdML2yiLk5JsEb45wnsx%2BushmjYP4APFoNDxt17%2B5zwlP6WUlhODHPndgbfC8DkhbwDonYdNxDi%2FbjuL06gWzS4ENfV2cckBqp0iN%2BeWV8el93Cf41WITEt9XpnPqn27yxOw6%2B3ZVUlQeTbJM1MnsY576p9QExQYYn54s%2F77C6Tc%3D&RelayState=http%3A%2F%2F192.168.56.102%2Fidentity%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fopenstack.local%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=NmG9oPBMKYc1Ma%2FZI21sWzfW1au5xTbJnuuDpnxPWCGjNXfVN0T2jje1ffcJHGX4aF4zK9SLZs2j0jKFRH3jnzgtLGwvl%2Bxwe3OPzjXltdE9JvMOMlPxazaI8Fb0JZ0pzLS6LnlY5QbA3FesCNoWObKUSsPzL3WuKPoCOwtI8Yd7zdK22pZWWcRvtbKkZuDTLLTtj81vh0oxCpAISs0QQ8CXRNYFto5KkMYZxGIBUPMvq9RDH0RIfXho4HFkdwf0wBCaTt5Vn77HxuYIW%2FGnY0DnAL0DRyQpNW%2BdH9de4QdEugUep8QejdMiQSqb4gWzuOFlKGEtpliV39beLxNCVg%3D%3D>*
>
> So the question is who is supposed to process request from IdP on it’s way
> back to keystone?
>
> I’m using devstack and configured keystone.conf:
>
> [auth]
> methods = external,password,token,oauth1,mapped
> [mapped]
> remote_id_attribute = MELLON_IDP
>
>
> ..Sergey Filatov
>
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170110/b2446db1/attachment.html>