<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Hi all!</div><div class="">I got a problem with my keystone federation setup:</div><div class=""><br class=""></div><div class="">When I’m logging into Horizon it redirects me into external Identity Provider, I fill in my credentials and everything is fine. Then I’m being redirected back to keystone and here’s where it fails:</div><div class="">it goes into TokenlessAuthHelper class, tries to get_scope retrieving project,domain etc attributes from request.environ.</div><div class="">And it fails coz I don’t have them in my environment variable: everything that comes from IdP is in HTTP_REFERER header, it looks like this:</div><div class=""><br class=""></div><div class="">HTTP_REFERER:</div><div class=""><i class=""><font size="2" class=""><a href="https://idp.local/auth/realms/openstack/protocol/saml?SAMLRequest=hZJbawIxEIX%2FypJ3TVxdbYMKogiCLWIvD30pIY4Ymss2M2vbf99kpda%2B2KeF2TlzznfIGJWztZw1dPBbeG8Aqfh01qNsf0xYE70MCg1KrxygJC0fZndrWXaFrGOgoINlF5LrCoUIkUzwrFgtJux1cbsciZvZoN8TZb%2Bal6KsymrYGwxGpajKsmLFM0RM%2BxOW5EmE2MDKIylPaSR6o47odcTto7iRg6Gshi%2BsWCQG4xW1qgNRjZJzU6uuDVpZrhIqj6CsQx5qyLf0G%2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8bV1mhDrFiGqKHtdML2yiLk5JsEb45wnsx%2BushmjYP4APFoNDxt17%2B5zwlP6WUlhODHPndgbfC8DkhbwDonYdNxDi%2FbjuL06gWzS4ENfV2cckBqp0iN%2BeWV8el93Cf41WITEt9XpnPqn27yxOw6%2B3ZVUlQeTbJM1MnsY576p9QExQYYn54s%2F77C6Tc%3D&RelayState=http%3A%2F%2F192.168.56.102%2Fidentity%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fopenstack.local%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=NmG9oPBMKYc1Ma%2FZI21sWzfW1au5xTbJnuuDpnxPWCGjNXfVN0T2jje1ffcJHGX4aF4zK9SLZs2j0jKFRH3jnzgtLGwvl%2Bxwe3OPzjXltdE9JvMOMlPxazaI8Fb0JZ0pzLS6LnlY5QbA3FesCNoWObKUSsPzL3WuKPoCOwtI8Yd7zdK22pZWWcRvtbKkZuDTLLTtj81vh0oxCpAISs0QQ8CXRNYFto5KkMYZxGIBUPMvq9RDH0RIfXho4HFkdwf0wBCaTt5Vn77HxuYIW%2FGnY0DnAL0DRyQpNW%2BdH9de4QdEugUep8QejdMiQSqb4gWzuOFlKGEtpliV39beLxNCVg%3D%3D" class="">https://idp.local/auth/realms/openstack/protocol/saml?SAMLRequest=hZJbawIxEIX%2FypJ3TVxdbYMKogiCLWIvD30pIY4Ymss2M2vbf99kpda%2B2KeF2TlzznfIGJWztZw1dPBbeG8Aqfh01qNsf0xYE70MCg1KrxygJC0fZndrWXaFrGOgoINlF5LrCoUIkUzwrFgtJux1cbsciZvZoN8TZb%2Bal6KsymrYGwxGpajKsmLFM0RM%2BxOW5EmE2MDKIylPaSR6o47odcTto7iRg6Gshi%2BsWCQG4xW1qgNRjZJzU6uuDVpZrhIqj6CsQx5qyLf0G%2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8bV1mhDrFiGqKHtdML2yiLk5JsEb45wnsx%2BushmjYP4APFoNDxt17%2B5zwlP6WUlhODHPndgbfC8DkhbwDonYdNxDi%2FbjuL06gWzS4ENfV2cckBqp0iN%2BeWV8el93Cf41WITEt9XpnPqn27yxOw6%2B3ZVUlQeTbJM1MnsY576p9QExQYYn54s%2F77C6Tc%3D&RelayState=http%3A%2F%2F192.168.56.102%2Fidentity%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fopenstack.local%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=NmG9oPBMKYc1Ma%2FZI21sWzfW1au5xTbJnuuDpnxPWCGjNXfVN0T2jje1ffcJHGX4aF4zK9SLZs2j0jKFRH3jnzgtLGwvl%2Bxwe3OPzjXltdE9JvMOMlPxazaI8Fb0JZ0pzLS6LnlY5QbA3FesCNoWObKUSsPzL3WuKPoCOwtI8Yd7zdK22pZWWcRvtbKkZuDTLLTtj81vh0oxCpAISs0QQ8CXRNYFto5KkMYZxGIBUPMvq9RDH0RIfXho4HFkdwf0wBCaTt5Vn77HxuYIW%2FGnY0DnAL0DRyQpNW%2BdH9de4QdEugUep8QejdMiQSqb4gWzuOFlKGEtpliV39beLxNCVg%3D%3D</a></font></i></div><div class=""><br class=""></div><div class="">So the question is who is supposed to process request from IdP on it’s way back to keystone?</div><div class=""><br class=""></div><div class="">I’m using devstack and configured keystone.conf:</div><div class=""><br class=""></div><div class="">[auth]</div><div class="">methods = external,password,token,oauth1,mapped</div><div class=""><div class="">[mapped]</div><div class="">remote_id_attribute = MELLON_IDP</div></div><div class=""><br class=""></div><br class=""><div class="">
<div class="">..Sergey Filatov</div><div class=""><br class=""></div><br class="Apple-interchange-newline">
</div>
<br class=""></body></html>