<div dir="ltr">Sergey,<br>It looks looks you have a problem in attributes mapping between your Identity Provider and Service Provider.<br>Please give more information: <br><ul><li>what Identity Provider do you use</li><li>what attributes your Idp is sending</li><li>what Service Provider do you use<br></li><li>what attributes your SP is expecting</li></ul><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 10, 2017 at 12:03 AM, Сергей Филатов <span dir="ltr"><<a href="mailto:filatecs@gmail.com" target="_blank">filatecs@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>Hi all!</div><div>I got a problem with my keystone federation setup:</div><div><br></div><div>When I’m logging into Horizon it redirects me into external Identity Provider, I fill in my credentials and everything is fine. Then I’m being redirected back to keystone and here’s where it fails:</div><div>it goes into TokenlessAuthHelper class, tries to get_scope retrieving project,domain etc attributes from request.environ.</div><div>And it fails coz I don’t have them in my environment variable: everything that comes from IdP is in HTTP_REFERER header, it looks like this:</div><div><br></div><div>HTTP_REFERER:</div><div><i><font size="2"><a href="https://idp.local/auth/realms/openstack/protocol/saml?SAMLRequest=hZJbawIxEIX%2FypJ3TVxdbYMKogiCLWIvD30pIY4Ymss2M2vbf99kpda%2B2KeF2TlzznfIGJWztZw1dPBbeG8Aqfh01qNsf0xYE70MCg1KrxygJC0fZndrWXaFrGOgoINlF5LrCoUIkUzwrFgtJux1cbsciZvZoN8TZb%2Bal6KsymrYGwxGpajKsmLFM0RM%2BxOW5EmE2MDKIylPaSR6o47odcTto7iRg6Gshi%2BsWCQG4xW1qgNRjZJzU6uuDVpZrhIqj6CsQx5qyLf0G%2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8bV1mhDrFiGqKHtdML2yiLk5JsEb45wnsx%2BushmjYP4APFoNDxt17%2B5zwlP6WUlhODHPndgbfC8DkhbwDonYdNxDi%2FbjuL06gWzS4ENfV2cckBqp0iN%2BeWV8el93Cf41WITEt9XpnPqn27yxOw6%2B3ZVUlQeTbJM1MnsY576p9QExQYYn54s%2F77C6Tc%3D&RelayState=http%3A%2F%2F192.168.56.102%2Fidentity%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fopenstack.local%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=NmG9oPBMKYc1Ma%2FZI21sWzfW1au5xTbJnuuDpnxPWCGjNXfVN0T2jje1ffcJHGX4aF4zK9SLZs2j0jKFRH3jnzgtLGwvl%2Bxwe3OPzjXltdE9JvMOMlPxazaI8Fb0JZ0pzLS6LnlY5QbA3FesCNoWObKUSsPzL3WuKPoCOwtI8Yd7zdK22pZWWcRvtbKkZuDTLLTtj81vh0oxCpAISs0QQ8CXRNYFto5KkMYZxGIBUPMvq9RDH0RIfXho4HFkdwf0wBCaTt5Vn77HxuYIW%2FGnY0DnAL0DRyQpNW%2BdH9de4QdEugUep8QejdMiQSqb4gWzuOFlKGEtpliV39beLxNCVg%3D%3D" target="_blank">https://idp.local/auth/realms/<wbr>openstack/protocol/saml?<wbr>SAMLRequest=hZJbawIxEIX%<wbr>2FypJ3TVxdbYMKogiCLWIvD30pIY4Y<wbr>mss2M2vbf99kpda%<wbr>2B2KeF2TlzznfIGJWztZw1dPBbeG8A<wbr>qfh01qNsf0xYE70MCg1KrxygJC0fZn<wbr>drWXaFrGOgoINlF5LrCoUIkUzwrFgt<wbr>Jux1cbsciZvZoN8TZb%<wbr>2Bal6KsymrYGwxGpajKsmLFM0RM%<wbr>2BxOW5EmE2MDKIylPaSR6o47odcTto<wbr>7iRg6Gshi%<wbr>2BsWCQG4xW1qgNRjZJzU6uuDVpZrhI<wbr>qj6CsQx5qyLf0G%<wbr>2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8<wbr>bV1mhDrFiGqKHtdML2yiLk5JsEb45w<wbr>nsx%2BushmjYP4APFoNDxt17%<wbr>2B5zwlP6WUlhODHPndgbfC8DkhbwDo<wbr>nYdNxDi%<wbr>2FbjuL06gWzS4ENfV2cckBqp0iN%<wbr>2BeWV8el93Cf41WITEt9XpnPqn27yx<wbr>Ow6%<wbr>2B3ZVUlQeTbJM1MnsY576p9QExQYYn<wbr>54s%2F77C6Tc%3D&RelayState=<wbr>http%3A%2F%2F192.168.56.102%<wbr>2Fidentity%2Fv3%2Fauth%2FOS-<wbr>FEDERATION%2Fwebsso%2Fsaml2%<wbr>3Forigin%3Dhttps%3A%2F%<wbr>2Fopenstack.local%2Fdashboard%<wbr>2Fauth%2Fwebsso%2F&SigAlg=<wbr>http%3A%2F%2Fwww.w3.org%<wbr>2F2000%2F09%2Fxmldsig%23rsa-<wbr>sha1&Signature=NmG9oPBMKYc1Ma%<wbr>2FZI21sWzfW1au5xTbJnuuDpnxPWCG<wbr>jNXfVN0T2jje1ffcJHGX4aF4zK9SLZ<wbr>s2j0jKFRH3jnzgtLGwvl%<wbr>2Bxwe3OPzjXltdE9JvMOMlPxazaI8F<wbr>b0JZ0pzLS6LnlY5QbA3FesCNoWObKU<wbr>SsPzL3WuKPoCOwtI8Yd7zdK22pZWWc<wbr>RvtbKkZuDTLLTtj81vh0oxCpAISs0Q<wbr>Q8CXRNYFto5KkMYZxGIBUPMvq9RDH0<wbr>RIfXho4HFkdwf0wBCaTt5Vn77HxuYI<wbr>W%2FGnY0DnAL0DRyQpNW%<wbr>2BdH9de4QdEugUep8QejdMiQSqb4gW<wbr>zuOFlKGEtpliV39beLxNCVg%3D%3D</a></font></i></div><div><br></div><div>So the question is who is supposed to process request from IdP on it’s way back to keystone?</div><div><br></div><div>I’m using devstack and configured keystone.conf:</div><div><br></div><div>[auth]</div><div>methods = external,password,token,<wbr>oauth1,mapped</div><div><div>[mapped]</div><div>remote_id_attribute = MELLON_IDP</div></div><div><br></div><br><div>
<div>..Sergey Filatov</div><div><br></div><br class="m_5034218652821943410Apple-interchange-newline">
</div>
<br></div><br>______________________________<wbr>_________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack</a><br>
Post to     : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/<wbr>cgi-bin/mailman/listinfo/<wbr>openstack</a><br>
<br></blockquote></div><br></div></div>