[Openstack] Re Error while signing saml assertion

nithish B bestofnithish at gmail.com
Mon Sep 7 11:32:06 UTC 2015


Hi Sreeja,
I think this is happening because your SAML namespace prefixes is being
reassigned. The line of code "
*file_path = fileutils.write_to_tempfile(assertion.to_string())*" is
raising the exception. The link
https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff;h=acdf034eb189773494849c4b7798f4bf59ea8517
might help you out. Try patching your keystone with the 2 files and even
then if the problem persists, let me know.

Thanks.
Nitish B.

Regards,
Nitish B.

On Mon, Sep 7, 2015 at 3:42 PM, sreeja kannagundla <
sreejakannagundla08 at gmail.com> wrote:

> Hi
>
> This is what my log file looks like:
>
> INFO keystone.common.wsgi [-] POST http://keystone:5000/v3/auth/OS-FEDERATION/saml2/ecp
> ERROR keystone.contrib.federation.idp [-] Error when signing assertion, reason: Command '['xmlsec1', '--sign', '--privkey-pem', '/etc/keystone/ssl/private/cakey.pem,/etc/keystone/ssl/certs/ca.pem', '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit status 1
>       2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request.
>
> and the certificates ca.pem and cakey.pem are present in the /etc/keystone/ssl/certs/ and /etc/keystone/ssl/private/
>
> This error is raised when subprocess.checkoutput method is called from sign_assertion method
>
> and following is my saml section in keystone.conf :
>
> [saml]
>
> certfile = /etc/keystone/ssl/certs/ca.pem
>
> keyfile = /etc/keystone/ssl/private/cakey.pem
>
> idp_entity_id = http://keystone.idp/v3/OS-FEDERATION/saml2/idp
>
> idp_sso_endpoint = http://keystone.idp/v3/OS-FEDERATION/saml2/sso
>
> idp_metadata_path = /etc/keystone/keystone_idp_metadata.xml
>
>
> On Mon, Sep 7, 2015 at 2:28 PM, nithish B <bestofnithish at gmail.com> wrote:
>
>> Hi Sreeja,
>> It seems like your private key and/or the ssl certificate you use to auth
>> does not exist. If you are indeed using key-pair based authentication, make
>> sure you have the key "signing_key.pem" at the mentioned location, i.e. at
>> /etc/ssl/private
>>
>> If this doesn't help, can you then just share a bit more on your setup.
>>
>> Thanks.
>> Nitish B.
>>
>> Regards,
>> Nitish B.
>>
>> On Mon, Sep 7, 2015 at 1:15 PM, sreeja kannagundla <
>> sreejakannagundla08 at gmail.com> wrote:
>>
>>> While trying to implement federation, I was getting code 500 errors
>>>   when trying to get a SAML assertion from a Keystone instance
>>>   configured as identity provider. This is what the Keystone log showed:
>>>
>>> INFO keystone.common.wsgi [-] POST http://172.29.236.100:5000/v3/auth/OS-FEDERATION/saml2/ecp
>>> ERROR keystone.contrib.federation.idp [-] Error when signing assertion, reason: Command '['xmlsec1', '--sign', '--privkey-pem', '/etc/ssl/private/signing_key.pem,/etc/ssl/
>>>   certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit status 1
>>>       2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request.
>>>
>>> It is not clear what the problem is from the logs
>>>
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     : openstack at lists.openstack.org
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150907/4651af06/attachment.html>


More information about the Openstack mailing list