[keystone] adfs SingleSignOn with CLI/API?

Fabian Zimmermann dev.faz at gmail.com
Wed Feb 13 08:50:06 UTC 2019


Hi,

thanks for the fast answers.

I asked our ADFS Administrators if they could provide some logs to see 
whats going wrong, but they are unable to deliver these.

So I installed keycloak and switched to OpenID Connect.

Im (again) able to connect via Horizon SSO, but when I try to use 
v3oidcpassword in the CLI Im running into

https://bugs.launchpad.net/python-openstackclient/+bug/1648580

I already added the suggested --os-client-secret without luck.
Updating to latest python-versions..

pip install -U python-keystoneclient
pip install -U python-openstackclient

didnt change anything.

Any ideas what to try next?

Offtopic:

Seems like

https://groups.google.com/forum/#!topic/mod_auth_openidc/qGE1DGQCTMY

is right. I had to change the RedirectURI to geht OpenIDConnect working 
with Keystone. The sample config of

https://docs.openstack.org/keystone/rocky/advanced-topics/federation/websso.html

is *not working for me*

  Fabian



Am 11.02.19 um 17:18 schrieb Colleen Murphy:
> Forwarding back to list
> 
> On Mon, Feb 11, 2019, at 5:11 PM, Blake Covarrubias wrote:
>>> On Feb 11, 2019, at 6:19 AM, Colleen Murphy <colleen at gazlene.net> wrote:
>>>
>>> Hi Fabian,
>>>
>>> On Mon, Feb 11, 2019, at 12:58 PM, Fabian Zimmermann wrote:
>>>> Hi,
>>>>
>>>> Im currently trying to implement some way to do a SSO against our
>>>> ActiveDirectory. I already tried SAMLv2 and OpenID Connect.
>>>>
>>>> Im able to sign in via Horizon, but im unable to find a working way on cli.
>>>>
>>>> Already tried v3adfspassword and v3oidcpassword, but im unable to get
>>>> them working.
>>>>
>>>> Any hints / links / docs where to find more information?
>>>>
>>>> Anyone using this kind of setup and willing to share KnowHow?
>>>>
>>>> Thanks a lot,
>>>>
>>>> Fabian Zimmermann
>>>
>>> We have an example of authenticating with the CLI here:
>>>
>>> https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#authenticating
>>>
>>> That only covers the regular SAML2.0 ECP type of authentication, which I guess won't work with ADFS, and we seem to have zero ADFS-specific documentation.
>>>
>>>  From the keystoneauth plugin code, it looks like you need to set identity-provider-url, service-provider-endpoint, service-provider-entity-id, username, password, identity-provider, and protocol (I'm getting that from the loader classes[1][2]). Is that the information you're looking for, or can you give more details on what specifically isn't working?
>>>
>>> Colleen
>>>
>>> [1] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/identity.py#n104
>>> [2] http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/extras/_saml2/_loading.py#n45
>>>
>>
>> Fabian,
>>
>> To add a bit more info, the AD FS plugin essentially uses IdP-initiated
>> sign-on. The identity provider URL is where the initial authentication
>> request to AD FS will be sent. An example of this would be
>> https://HOSTNAME/adfs/services/trust/13/usernamemixed
>> <https://hostname/adfs/services/trust/13/usernamemixed>. The service
>> provider’s entity ID must also be sent in the request so that AD FS
>> knows which Relying Party Trust to associate with the request.
>>
>> AD FS will provide a SAML assertion upon successful authentication. The
>> service provider endpoint is the URL of the Assertion Consumer Service.
>> If you’re using Shibboleth on the SP, this would be
>> https://HOSTNAME/Shibboleth.sso/ADFS
>> <https://hostname/Shibboleth.sso/ADFS>.
>>
>> Note: The service-provider-entity-id can be omitted if it is the same
>> value as the service-provider-endpoint (or Assertion Consumer Service
>> URL).
>>
>> Hope this helps.
>>
>>>> Blake Covarrubias
>>
> 



More information about the openstack-discuss mailing list