[keystone] adfs SingleSignOn with CLI/API?
Brandon Sawyers
brandor5 at gmail.com
Thu Feb 14 13:15:13 UTC 2019
You should be able to configure keystone to authenticate against "ldap"
using your active directory.
Have you tried that yet?
On Thu, Feb 14, 2019, 05:33 Colleen Murphy <colleen at gazlene.net> wrote:
> On Wed, Feb 13, 2019, at 9:50 AM, Fabian Zimmermann wrote:
> > Hi,
> >
> > thanks for the fast answers.
> >
> > I asked our ADFS Administrators if they could provide some logs to see
> > whats going wrong, but they are unable to deliver these.
>
> I'm more interested in what you were seeing, both the output from the
> client and the output from the keystone server if you have access to it.
>
> >
> > So I installed keycloak and switched to OpenID Connect.
> >
> > Im (again) able to connect via Horizon SSO, but when I try to use
> > v3oidcpassword in the CLI Im running into
> >
> > https://bugs.launchpad.net/python-openstackclient/+bug/1648580
> >
> > I already added the suggested --os-client-secret without luck.
> > Updating to latest python-versions..
> >
> > pip install -U python-keystoneclient
> > pip install -U python-openstackclient
> >
> > didnt change anything.
> >
> > Any ideas what to try next?
>
> Unfortunately that seems to still be a valid bug that we'll need to
> address. You could try using the python keystoneauth library directly and
> see if the issue appears there[1][2].
>
> [1] https://docs.openstack.org/keystoneauth/latest/using-sessions.html
> [2]
> https://docs.openstack.org/keystoneauth/latest/plugin-options.html#v3oidcpassword
>
> >
> > Offtopic:
> >
> > Seems like
> >
> > https://groups.google.com/forum/#!topic/mod_auth_openidc/qGE1DGQCTMY
> >
> > is right. I had to change the RedirectURI to geht OpenIDConnect working
> > with Keystone. The sample config of
> >
> >
> https://docs.openstack.org/keystone/rocky/advanced-topics/federation/websso.html
> >
> > is *not working for me*
>
> I found that too. The in-development documentation has already been
> fixed[3] but we didn't backport that to the Rocky documentation because it
> was part of a large series of rewrites and reorgs.
>
> [3]
> https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configure-mod-auth-openidc
>
> >
> > Fabian
> >
>
> Colleen
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190214/beb91d46/attachment-0001.html>
More information about the openstack-discuss
mailing list