[Openstack] Re Error while signing saml assertion

sreeja kannagundla sreejakannagundla08 at gmail.com
Mon Sep 7 10:12:23 UTC 2015 

Hi

This is what my log file looks like:

INFO keystone.common.wsgi [-] POST
http://keystone:5000/v3/auth/OS-FEDERATION/saml2/ecp
ERROR keystone.contrib.federation.idp [-] Error when signing
assertion, reason: Command '['xmlsec1', '--sign', '--privkey-pem',
'/etc/keystone/ssl/private/cakey.pem,/etc/keystone/ssl/certs/ca.pem',
'--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit
status 1
      2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-]
An unexpected error prevented the server from fulfilling your request.

and the certificates ca.pem and cakey.pem are present in the
/etc/keystone/ssl/certs/ and /etc/keystone/ssl/private/

This error is raised when subprocess.checkoutput method is called from
sign_assertion method

and following is my saml section in keystone.conf :

[saml]

certfile = /etc/keystone/ssl/certs/ca.pem

keyfile = /etc/keystone/ssl/private/cakey.pem

idp_entity_id = http://keystone.idp/v3/OS-FEDERATION/saml2/idp

idp_sso_endpoint = http://keystone.idp/v3/OS-FEDERATION/saml2/sso

idp_metadata_path = /etc/keystone/keystone_idp_metadata.xml


On Mon, Sep 7, 2015 at 2:28 PM, nithish B <bestofnithish at gmail.com> wrote:

> Hi Sreeja,
> It seems like your private key and/or the ssl certificate you use to auth
> does not exist. If you are indeed using key-pair based authentication, make
> sure you have the key "signing_key.pem" at the mentioned location, i.e. at
> /etc/ssl/private
>
> If this doesn't help, can you then just share a bit more on your setup.
>
> Thanks.
> Nitish B.
>
> Regards,
> Nitish B.
>
> On Mon, Sep 7, 2015 at 1:15 PM, sreeja kannagundla <
> sreejakannagundla08 at gmail.com> wrote:
>
>> While trying to implement federation, I was getting code 500 errors
>>   when trying to get a SAML assertion from a Keystone instance
>>   configured as identity provider. This is what the Keystone log showed:
>>
>> INFO keystone.common.wsgi [-] POST http://172.29.236.100:5000/v3/auth/OS-FEDERATION/saml2/ecp
>> ERROR keystone.contrib.federation.idp [-] Error when signing assertion, reason: Command '['xmlsec1', '--sign', '--privkey-pem', '/etc/ssl/private/signing_key.pem,/etc/ssl/
>>   certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit status 1
>>       2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request.
>>
>> It is not clear what the problem is from the logs
>>
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150907/d67d3e33/attachment.html>

More information about the Openstack mailing list