[openstack-dev] Need help in configuring keystone
Fargetta Marco
marco.fargetta at ct.infn.it
Mon Mar 2 10:29:21 UTC 2015
Hi Akshik,
if you look at the log you find these lines:
2015-02-27 22:36:38 CRIT Shibboleth.Application : no MetadataProvider available, configuration is probably unusable
2015-02-27 22:36:38 INFO Shibboleth.Application : no TrustEngine specified or installed, using default chain {ExplicitKey, PKIX}
2015-02-27 22:36:38 INFO Shibboleth.Application : building AttributeExtractor of type XML...
It seems there is a problem with your shibboleth2.xml. Check it against a working one or try to increase the log verbosity to
figure out the problem.
Marco
> From: "Akshik DBK" <akshik at outlook.com>
> To: "OpenStack Development Mailing List not for usage questions"
> <openstack-dev at lists.openstack.org>
> Sent: Saturday, 28 February, 2015 17:05:23
> Subject: Re: [openstack-dev] Need help in configuring keystone
> Hi Marco,
> did you get a chance to look at the logs,
> Regards,
> Akshik
> From: akshik at outlook.com
> To: openstack-dev at lists.openstack.org
> Date: Fri, 27 Feb 2015 22:50:47 +0530
> Subject: Re: [openstack-dev] Need help in configuring keystone
> Hi Marco,
> Thanks for responding, Ive cleared the log file and have restarted the shibd
> service.
> the metadata file got created, i've attached the log file and metadata file as
> well.
> Regards,
> Akshik
> Date: Fri, 27 Feb 2015 15:12:39 +0100
> From: Marco.Fargetta at ct.infn.it
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] Need help in configuring keystone
> Hi Akshik,
> the metadata error is in your SP, if the error was on testshib you
> should not be redirected back after the login. Maybe there is a configuration
> problem with shibboleth. Try to restart the service and look at shibboleth logs.
> Check also the metadata of testshib are downloaded correctly because from the
> error
> it seems you have not the metadata of testshib.
> Cheers,
> Marco
> On Fri, Feb 27, 2015 at 06:39:30PM +0530, Akshik DBK wrote:
> > Hi Marek ,
>> I've registered with testshib, this is my keystone-apache-error.log log i get
>> [error] [client 121.243.33.212] No MetadataProvider available., referer:
> > https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
> > From: akshik at outlook.com
> > To: openstack-dev at lists.openstack.org
> > Date: Fri, 27 Feb 2015 15:56:57 +0530
> > Subject: [openstack-dev] Need help in configuring keystone
>> Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu
>> 12.04 with Icehouse,im following http://docs.openstack.org/developer/k...when
>> im trying to configure keystone with two idp,when i access
>> https://MYSERVER:5000/v3/OS-FEDERATIO...it gets redirected to testshib.org , it
>> prompts for username and password when the same is given im
>> gettingshibsp::ConfigurationException at (
>> https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.here
>> is my shibboleth2.xml content<SPConfig
> > xmlns="urn:mace:shibboleth:2.0:native:sp:config"
> > xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
> > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> > xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> > clockSkew="180">
> > <ApplicationDefaults entityID="https://MYSERVER:5000/Shibboleth">
>> <Sessions lifetime="28800" timeout="3600" checkAddress="false"
> > relayState="ss:mem" handlerSSL="false">
> > <SSO entityID=" https://idp.testshib.org/idp/shibboleth " ECP="true">
> > SAML2 SAML1
> > </SSO>
> > <Logout>SAML2 Local</Logout>
> > <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
> > <Handler type="Status" Location="/Status" />
> > <Handler type="Session" Location="/Session" showAttributeValues="false"/>
> > <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
> > </Sessions>
> > <Errors supportContact="root at localhost"
> > logoLocation="/shibboleth-sp/logo.jpg"
> > styleSheet="/shibboleth-sp/main.css"/>
> > <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
> > <AttributeResolver type="Query" subjectMatch="true"/>
> > <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
> > <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
> > <ApplicationOverride id="idp_1" entityID="https://MYSERVER:5000/Shibboleth">
> > <Sessions lifetime="28800" timeout="3600" checkAddress="false"
> > relayState="ss:mem" handlerSSL="false">
> > <SSO entityID=" https://portal4.mss.internalidp.com/idp/shibboleth " ECP="true">
> > SAML2 SAML1
> > </SSO>
> > <Logout>SAML2 Local</Logout>
> > </Sessions>
>> <MetadataProvider type="XML" uri="
> > https://portal4.mss.internalidp.com/idp/shibboleth "
> > backingFilePath="/tmp/tata.xml" reloadInterval="180000" />
> > </ApplicationOverride>
> > <ApplicationOverride id="idp_2" entityID="https://MYSERVER:5000/Shibboleth">
> > <Sessions lifetime="28800" timeout="3600" checkAddress="false"
> > relayState="ss:mem" handlerSSL="false">
> > <SSO entityID=" https://idp.testshib.org/idp/shibboleth " ECP="true">
> > SAML2 SAML1
> > </SSO>
> > <Logout>SAML2 Local</Logout>
> > </Sessions>
> > <MetadataProvider type="XML" uri=" https://idp.testshib.org/idp/shibboleth "
> > backingFilePath="/tmp/testshib.xml" reloadInterval="180000"/>
> > </ApplicationOverride>
> > </ApplicationDefaults>
> > <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
>> <ProtocolProvider type="XML" validate="true" reloadChanges="false"
> > path="protocols.xml"/>
>> </SPConfig>here is my wsgi-keystoneWSGIScriptAlias /keystone/main
> > /var/www/cgi-bin/keystone/main
> > WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin
> > <Location "/keystone">
> > # NSSRequireSSL
> > SSLRequireSSL
> > Authtype none
> > </Location>
> > <Location /Shibboleth.sso>
> > SetHandler shib
> > </Location>
> > <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
> > ShibRequestSetting requireSession 1
> > ShibRequestSetting applicationId idp_1
> > AuthType shibboleth
> > ShibRequireAll On
> > ShibRequireSession On
> > ShibExportAssertion Off
> > Require valid-user
> > </Location>
> > <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
> > ShibRequestSetting requireSession 1
> > ShibRequestSetting applicationId idp_2
> > AuthType shibboleth
> > ShibRequireAll On
> > ShibRequireSession On
> > ShibExportAssertion Off
> > Require valid-user
> > </Location>
> > __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions) Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions) Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
====================================================
Eng. Marco Fargetta, PhD
Istituto Nazionale di Fisica Nucleare (INFN)
Catania, Italy
EMail: Marco.Fargetta at ct.infn.it
====================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150302/febcc8f3/attachment.html>
More information about the OpenStack-dev
mailing list