[openstack-dev] Need help in configuring keystone

Akshik DBK akshik at outlook.com
Fri Feb 27 13:09:30 UTC 2015 

Hi Marek ,
I've registered with testshib, this is my keystone-apache-error.log log i get [error] [client 121.243.33.212] No MetadataProvider available., referer: https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
From: akshik at outlook.com
To: openstack-dev at lists.openstack.org
Date: Fri, 27 Feb 2015 15:56:57 +0530
Subject: [openstack-dev] Need help in configuring keystone




Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu 12.04 with Icehouse,im following http://docs.openstack.org/developer/k...when im trying to configure keystone with two idp,when i access https://MYSERVER:5000/v3/OS-FEDERATIO...it gets redirected to testshib.org , it prompts for username and password when the same is given im gettingshibsp::ConfigurationException at ( https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.here is my shibboleth2.xml content<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">

    <ApplicationDefaults entityID="https://MYSERVER:5000/Shibboleth">
        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
            <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
                SAML2 SAML1
            </SSO>

            <Logout>SAML2 Local</Logout>

            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status" Location="/Status" />
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <Errors supportContact="root at localhost"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>

        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

        <ApplicationOverride id="idp_1" entityID="https://MYSERVER:5000/Shibboleth">

            <Sessions lifetime="28800" timeout="3600" checkAddress="false"
            relayState="ss:mem" handlerSSL="false">
                <SSO entityID="https://portal4.mss.internalidp.com/idp/shibboleth" ECP="true">
                    SAML2 SAML1
                </SSO>
                <Logout>SAML2 Local</Logout>
            </Sessions>

            <MetadataProvider type="XML" uri="https://portal4.mss.internalidp.com/idp/shibboleth"
             backingFilePath="/tmp/tata.xml" reloadInterval="180000" />
        </ApplicationOverride>

        <ApplicationOverride id="idp_2" entityID="https://MYSERVER:5000/Shibboleth">
            <Sessions lifetime="28800" timeout="3600" checkAddress="false"
            relayState="ss:mem" handlerSSL="false">
                <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
                    SAML2 SAML1
                </SSO>

                <Logout>SAML2 Local</Logout>
            </Sessions>

            <MetadataProvider type="XML" uri="https://idp.testshib.org/idp/shibboleth"  
            backingFilePath="/tmp/testshib.xml" reloadInterval="180000"/>
        </ApplicationOverride>
    </ApplicationDefaults>

    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>here is my wsgi-keystoneWSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin

<Location "/keystone">
# NSSRequireSSL
SSLRequireSSL
Authtype none
</Location>

<Location /Shibboleth.sso>
    SetHandler shib
</Location>

<Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
    ShibRequestSetting requireSession 1
    ShibRequestSetting applicationId idp_1
    AuthType shibboleth
    ShibRequireAll On
    ShibRequireSession On
    ShibExportAssertion Off
    Require valid-user
</Location>

<Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
    ShibRequestSetting requireSession 1
    ShibRequestSetting applicationId idp_2
    AuthType shibboleth
    ShibRequireAll On
    ShibRequireSession On
    ShibExportAssertion Off
    Require valid-user
</Location> 		 	   		  

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150227/70d79a5b/attachment.html>

More information about the OpenStack-dev mailing list