[openstack-dev] Need help in configuring keystone
Marek Denis
marek.denis at cern.ch
Fri Feb 27 10:38:51 UTC 2015
Hi Akshik,
Did you upload your Metadata file to the testshib server?
You are advised to follow steps starting from here:
http://testshib.org/register.html
For the record, Keystone will act here as a Service Provider, so you
need to follow testhib docs/tutorials for setting your SP (Service Provider)
Let me know if that was your issue.
If not, a more detailed steps of how your configured your Keystone
acting as a Service Provider would be more helpful.
Marek Denis
On 27.02.2015 11:26, Akshik DBK wrote:
>
> Hi I'm new to SAML, trying to integrate keystone with SAML, Im using
> Ubuntu 12.04 with Icehouse,
>
> im following http://docs.openstack.org/developer/k...
> <http://docs.openstack.org/developer/keystone/extensions/shibboleth.html>
>
> when im trying to configure keystone with two idp,
>
> when i access https://MYSERVER:5000/v3/OS-FEDERATIO...
> <https://myserver:5000/v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
>
> it gets redirected to testshib.org <http://testshib.org/> , it prompts
> for username and password when the same is given im getting
>
> *shibsp::ConfigurationException at (
> https://MYSERVER:5000/Shibboleth.sso/...
> <https://myserver:5000/Shibboleth.sso/SAML2/POST> ) No
> MetadataProvider available.*
>
> here is my shibboleth2.xml content
>
> |<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> clockSkew="180">
>
> <ApplicationDefaults entityID="https://MYSERVER:5000/Shibboleth">
> <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
> <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
> SAML2 SAML1
> </SSO>
>
> <Logout>SAML2 Local</Logout>
>
> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
> <Handler type="Status" Location="/Status" />
> <Handler type="Session" Location="/Session" showAttributeValues="false"/>
> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
> </Sessions>
>
> <Errors supportContact="root at localhost"
> logoLocation="/shibboleth-sp/logo.jpg"
> styleSheet="/shibboleth-sp/main.css"/>
>
> <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
> <AttributeResolver type="Query" subjectMatch="true"/>
> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
> <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
>
> <ApplicationOverride id="idp_1" entityID="https://MYSERVER:5000/Shibboleth">
>
> <Sessions lifetime="28800" timeout="3600" checkAddress="false"
> relayState="ss:mem" handlerSSL="false">
> <SSO entityID="https://portal4.mss.internalidp.com/idp/shibboleth" ECP="true">
> SAML2 SAML1
> </SSO>
> <Logout>SAML2 Local</Logout>
> </Sessions>
>
> <MetadataProvider type="XML" uri="https://portal4.mss.internalidp.com/idp/shibboleth"
> backingFilePath="/tmp/tata.xml" reloadInterval="180000" />
> </ApplicationOverride>
>
> <ApplicationOverride id="idp_2" entityID="https://MYSERVER:5000/Shibboleth">
> <Sessions lifetime="28800" timeout="3600" checkAddress="false"
> relayState="ss:mem" handlerSSL="false">
> <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
> SAML2 SAML1
> </SSO>
>
> <Logout>SAML2 Local</Logout>
> </Sessions>
>
> <MetadataProvider type="XML" uri="https://idp.testshib.org/idp/shibboleth"
> backingFilePath="/tmp/testshib.xml" reloadInterval="180000"/>
> </ApplicationOverride>
> </ApplicationDefaults>
>
> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
> </SPConfig>|
>
> here is my wsgi-keystone
>
> |WSGIScriptAlias /keystone/main/var/www/cgi-bin/keystone/main
> WSGIScriptAlias /keystone/admin/var/www/cgi-bin/keystone/admin
>
> <Location "/keystone">
> # NSSRequireSSL
> SSLRequireSSL
> Authtype none
> </Location>
>
> <Location /Shibboleth.sso>
> SetHandler shib
> </Location>
>
> <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
> ShibRequestSetting requireSession1
> ShibRequestSetting applicationId idp_1
> AuthType shibboleth
> ShibRequireAll On
> ShibRequireSession On
> ShibExportAssertion Off
> Require valid-user
> </Location>
>
> <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
> ShibRequestSetting requireSession1
> ShibRequestSetting applicationId idp_2
> AuthType shibboleth
> ShibRequireAll On
> ShibRequireSession On
> ShibExportAssertion Off
> Require valid-user
> </Location>|
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150227/09855c07/attachment-0001.html>
More information about the OpenStack-dev
mailing list