[Openstack] [Keystone] keystone federation setup
David Stanek
dstanek at dstanek.com
Tue Jan 17 15:55:23 UTC 2017
On 10-Jan 14:37, Kseniya Tychkova wrote:
> Sergey,
> It looks looks you have a problem in attributes mapping between your
> Identity Provider and Service Provider.
> Please give more information:
>
> - what Identity Provider do you use
> - what attributes your Idp is sending
> - what Service Provider do you use
> - what attributes your SP is expecting
>
>
> On Tue, Jan 10, 2017 at 12:03 AM, Сергей Филатов <filatecs at gmail.com> wrote:
>
> > Hi all!
> > I got a problem with my keystone federation setup:
> >
> > When I’m logging into Horizon it redirects me into external Identity
> > Provider, I fill in my credentials and everything is fine. Then I’m being
> > redirected back to keystone and here’s where it fails:
> > it goes into TokenlessAuthHelper class, tries to get_scope retrieving
> > project,domain etc attributes from request.environ.
> > And it fails coz I don’t have them in my environment variable: everything
> > that comes from IdP is in HTTP_REFERER header, it looks like this:
> >
> > HTTP_REFERER:
> > *https://idp.local/auth/realms/openstack/protocol/saml?SAMLRequest=hZJbawIxEIX%2FypJ3TVxdbYMKogiCLWIvD30pIY4Ymss2M2vbf99kpda%2B2KeF2TlzznfIGJWztZw1dPBbeG8Aqfh01qNsf0xYE70MCg1KrxygJC0fZndrWXaFrGOgoINlF5LrCoUIkUzwrFgtJux1cbsciZvZoN8TZb%2Bal6KsymrYGwxGpajKsmLFM0RM%2BxOW5EmE2MDKIylPaSR6o47odcTto7iRg6Gshi%2BsWCQG4xW1qgNRjZJzU6uuDVpZrhIqj6CsQx5qyLf0G%2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8bV1mhDrFiGqKHtdML2yiLk5JsEb45wnsx%2BushmjYP4APFoNDxt17%2B5zwlP6WUlhODHPndgbfC8DkhbwDonYdNxDi%2FbjuL06gWzS4ENfV2cckBqp0iN%2BeWV8el93Cf41WITEt9XpnPqn27yxOw6%2B3ZVUlQeTbJM1MnsY576p9QExQYYn54s%2F77C6Tc%3D&RelayState=http%3A%2F%2F192.168.56.102%2Fidentity%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fopenstack.local%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=NmG9oPBMKYc1Ma%2FZI21sWzfW1au5xTbJnuuDpnxPWCGjNXfVN0T2jje1ffcJHGX4aF4zK9SLZs2j0jKFRH3jnzgtLGwvl%2Bxwe3OPzjXltdE9JvMOMlPxazaI8Fb0JZ0pzLS6LnlY5QbA3FesCNoWObKUSsPzL3WuKPoCOwtI8Yd7zdK22pZWWcRvtbKkZuDTLLTtj81vh0oxCpAISs0QQ8CXRNYFto5KkMYZxGIBUPMvq9RDH0RIfXho4HFkdwf0wBCaTt5Vn77HxuYIW%2FGnY0DnAL0DRyQpNW%2BdH9de4QdEugUep8QejdMiQSqb4gWzuOFlKGEtpliV39beLxNCVg%3D%3D
> > <https://idp.local/auth/realms/openstack/protocol/saml?SAMLRequest=hZJbawIxEIX%2FypJ3TVxdbYMKogiCLWIvD30pIY4Ymss2M2vbf99kpda%2B2KeF2TlzznfIGJWztZw1dPBbeG8Aqfh01qNsf0xYE70MCg1KrxygJC0fZndrWXaFrGOgoINlF5LrCoUIkUzwrFgtJux1cbsciZvZoN8TZb%2Bal6KsymrYGwxGpajKsmLFM0RM%2BxOW5EmE2MDKIylPaSR6o47odcTto7iRg6Gshi%2BsWCQG4xW1qgNRjZJzU6uuDVpZrhIqj6CsQx5qyLf0G%2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8bV1mhDrFiGqKHtdML2yiLk5JsEb45wnsx%2BushmjYP4APFoNDxt17%2B5zwlP6WUlhODHPndgbfC8DkhbwDonYdNxDi%2FbjuL06gWzS4ENfV2cckBqp0iN%2BeWV8el93Cf41WITEt9XpnPqn27yxOw6%2B3ZVUlQeTbJM1MnsY576p9QExQYYn54s%2F77C6Tc%3D&RelayState=http%3A%2F%2F192.168.56.102%2Fidentity%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fopenstack.local%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=NmG9oPBMKYc1Ma%2FZI21sWzfW1au5xTbJnuuDpnxPWCGjNXfVN0T2jje1ffcJHGX4aF4zK9SLZs2j0jKFRH3jnzgtLGwvl%2Bxwe3OPzjXltdE9JvMOMlPxazaI8Fb0JZ0pzLS6LnlY5QbA3FesCNoWObKUSsPzL3WuKPoCOwtI8Yd7zdK22pZWWcRvtbKkZuDTLLTtj81vh0oxCpAISs0QQ8CXRNYFto5KkMYZxGIBUPMvq9RDH0RIfXho4HFkdwf0wBCaTt5Vn77HxuYIW%2FGnY0DnAL0DRyQpNW%2BdH9de4QdEugUep8QejdMiQSqb4gWzuOFlKGEtpliV39beLxNCVg%3D%3D>*
> >
> > So the question is who is supposed to process request from IdP on it’s way
> > back to keystone?
> >
> > I’m using devstack and configured keystone.conf:
> >
> > [auth]
> > methods = external,password,token,oauth1,mapped
> > [mapped]
> > remote_id_attribute = MELLON_IDP
> >
> >
> > ..Sergey Filatov
> >
Is this still a problem?
--
david stanek
web: https://www.dstanek.com
twitter: https://twitter.com/dstanek
More information about the Openstack
mailing list