[openstack-dev] [keystone] federation

Navid Pustchi npustchi at gmail.com
Fri Aug 21 05:23:15 UTC 2015


Hi

I am testing the feasibility of federated token to access another federated
resource.
For this purpos, I setup three devstack kilo instances as:

kilo1 (IdP) -----> kilo2 (SP / IdP) -----> kilo3 (SP)

1. get a federated scoped token for a project in kilo2.

2. using this federated token, get federated scoped token for a project in
kilo3.

I get 500 internal server error from kilo2.
If I remove service provider in kilo2 (registered for kilo3), i can get
federated scoped token.

So far I know for issuing v3 token, the error is within webob
python /usr/local/lib/python2.7/dist-packages/webob/dec.py while
authenticating the
token in /keystone/auth/controllers.py. the following link is the stack
trace:
http://paste.openstack.org/show/422584/

The issue is when a SP is setup to be idp as well service provider (for
kilo3) in kilo2, then i get http 500 internal server error.

The response unscoped token from kilo2 is the following link:
http://paste.openstack.org/show/412951/

I wanted to know if somebody tested similar scenarios or had similar issues.


Thanks for your response
-Navid Pustchi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150821/ed38fb2a/attachment.html>


More information about the OpenStack-dev mailing list