[openstack-dev] Need help in configuring keystone

Akshik DBK akshik at outlook.com
Wed Mar 4 07:18:47 UTC 2015


Hi Marek,
I tried with the auto-generated shibboleth2.xml, just added the application override attribute, now im stuck with looping issue,
when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth for the first time it is prompting for username and password once provided it goes on loop.
i could see session generated https://115.112.68.53:5000/Shibboleth.sso/SessionMiscellaneous
Client Address: 121.243.33.212
Identity Provider: https://idp.testshib.org/idp/shibboleth
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Authentication Time: 2015-03-04T06:44:41.625Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Authentication Context Decl: (none)
Session Expiration (barring inactivity): 479 minute(s)

Attributes
affiliation: Member at testshib.org;Staff at testshib.org
entitlement: urn:mace:dir:entitlement:common-lib-terms
eppn: myself at testshib.org
persistent-id: https://idp.testshib.org/idp/shibboleth!https://115.112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=
unscoped-affiliation: Member;Staffhere are my config files,<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  clockSkew="1800">    <ApplicationDefaults entityID="https://115.112.68.53/shibboleth" REMOTE_USER="eppn">        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" handlerSSL="true" cookieProps="; path=/; secure">
            <SSO entityID="https://idp.testshib.org/idp/shibboleth">                SAML2 SAML1            </SSO>
            <Logout>SAML2 Local</Logout>
            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>            <Handler type="Status" Location="/Status"/>            <Handler type="Session" Location="/Session" showAttributeValues="true"/>            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>        </Sessions>
        <Errors supportContact="root at localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>        <MetadataProvider type="XML" uri="https://www.testshib.org/metadata/testshib-providers.xml"             backingFilePath="/tmp/testshib-two-idp-metadata.xml"             reloadInterval="180000" />        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>        <AttributeResolver type="Query" subjectMatch="true"/>        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>        <ApplicationOverride id="idp_2" entityID="https://115.112.68.53/shibboleth">           <!--Sessions lifetime="28800" timeout="3600" checkAddress="false"           relayState="ss:mem" handlerSSL="false"-->           <Sessions lifetime="28800" timeout="3600" checkAddress="false"           relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure">
            <!-- Triggers a login request directly to the TestShib IdP. -->            <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">                SAML2 SAML1            </SSO>            <Logout>SAML2 Local</Logout>         </Sessions>            <MetadataProvider type="XML" uri="https://www.testshib.org/metadata/testshib-providers.xml"             backingFilePath="/tmp/testshib-two-idp-metadata.xml"             reloadInterval="180000" />        </ApplicationOverride>    </ApplicationDefaults>    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/></SPConfig>
keystone-httpdWSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10#WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
<VirtualHost *:5000>    LogLevel  info    ErrorLog  /var/log/keystone/keystone-apache-error.log    CustomLog /var/log/keystone/ssl_access.log combined    Options +FollowSymLinks
        SSLEngine on        #SSLCertificateFile /etc/ssl/certs/mycert.pem        #SSLCertificateKeyFile /etc/ssl/private/mycert.key        SSLCertificateFile    /etc/apache2/ssl/server.crt        SSLCertificateKeyFile /etc/apache2/ssl/server.key        SSLVerifyClient optional        SSLVerifyDepth 10        SSLProtocol all -SSLv2        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW        SSLOptions +StdEnvVars +ExportCertData
    WSGIScriptAlias /  /var/www/cgi-bin/keystone/main    WSGIProcessGroup keystone</VirtualHost>
<VirtualHost *:35357>    LogLevel  info    ErrorLog  /var/log/keystone/keystone-apache-error.log    CustomLog /var/log/keystone/ssl_access.log combined    Options +FollowSymLinks
        SSLEngine on
        SSLEngine on        #SSLCertificateFile /etc/ssl/certs/mycert.pem        #SSLCertificateKeyFile /etc/ssl/private/mycert.key        SSLCertificateFile    /etc/apache2/ssl/server.crt        SSLCertificateKeyFile /etc/apache2/ssl/server.key        SSLVerifyClient optional        SSLVerifyDepth 10        SSLProtocol all -SSLv2        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW        SSLOptions +StdEnvVars +ExportCertData
    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin    WSGIProcessGroup keystone</VirtualHost>
wsgi-keystoneWSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/mainWSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
<Location "/keystone"># NSSRequireSSLSSLRequireSSLAuthtype none</Location>
<Location /Shibboleth.sso>#    SetHandler shib    Require all granted</Location>
<Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>    ShibRequestSetting requireSession 1    ShibRequestSetting applicationId idp_1    AuthType shibboleth    ShibRequireAll On    ShibRequireSession On    ShibExportAssertion Off    Require valid-user</Location>
<Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>    ShibRequestSetting requireSession 1    ShibRequestSetting applicationId idp_2    AuthType shibboleth    ShibRequireAll On    ShibRequireSession On    ShibExportAssertion Off    Require valid-user</Location>
Regards,Akshik
> Date: Mon, 2 Mar 2015 12:03:18 +0100
> From: marek.denis at cern.ch
> To: openstack-dev at lists.openstack.org
> Subject: Re: [openstack-dev] Need help in configuring keystone
> 
> Akshik,
> 
> When you are beginning an adventure with saml, shibboleth and so on, 
> it's helpful to start with fetching auto-generated shibboleth2.xml file 
> from testshib.org . This should cover most of your use-cases, at least 
> in the testing environment.
> 
> Marek
> 
> 
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150304/2df3ea4d/attachment.html>


More information about the OpenStack-dev mailing list