[Openstack] Keystone and identity federation
thomas.duval at orange.com
thomas.duval at orange.com
Fri Apr 22 08:07:21 UTC 2016
Hi
I still have problem to connect Keystone with Shibboleth.
>From [1], I have seen that in keystone.conf, I must put the next line
idp_sso_endpoint=https://keystone.example.com/v3/OS-FEDERATION/saml2/sso
But I cannot retrieve this URL with a 'wget' (404 error), moreover, the code in keystone [2] doesn't contain a route to that URI.
Is it normal ? Does someone can give me the right parameter in keystone.conf ?
Cheers,
[1] http://docs.openstack.org/developer/keystone/configure_federation.html#keystone-as-an-identity-provider-idp
[2] https://github.com/openstack/keystone/blob/stable/liberty/keystone/contrib/federation/routers.py
--
Thomas Duval
thomas.duval at orange.com
________________________________________
De : thomas.duval at orange.com [thomas.duval at orange.com]
Envoyé : mardi 1 mars 2016 17:09
À : Marek Denis; openstack at lists.openstack.org
Objet : Re: [Openstack] Keystone and identity federation
Thanks Marek for your answer.
I tried to use HTTPS, I also deleted the <ApplicationOverride> and I change all IP addresses into FQDN (by setting them into the /etc/hosts file) but with no luck.
The problem is on the SP server because there is no data transmitted to the IdP server.
In the SP server, when I try to retrieve the data from http://idp.loc:5000/idp/Shibboleth.sso/Metadata, the IDP gives me :
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_3c5b6e319dcd12ca1e91dfba9e4e4c22a8190c1c" entityID="https://idp.loc:5000/shibboleth">
<md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport">
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/>
<alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
</md:Extensions>
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol">
<md:Extensions>
<init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://idp.loc:5000/Shibboleth.sso/Login"/>
<idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://idp.loc:5000/Shibboleth.sso/Login" index="1"/>
</md:Extensions>
<md:KeyDescriptor>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>idp</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>CN=idp</ds:X509SubjectName>
<ds:X509Certificate>MIIC0DCCAbigAwIBAgIJAMzXtBlkSc6lMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNV
BAMTA2lkcDAeFw0xNjAyMjYwOTA5MjhaFw0yNjAyMjMwOTA5MjhaMA4xDDAKBgNV
BAMTA2lkcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSydej0wXBp
SzDetOyyl3M............ TRUNCATED ......................K7YxQwV2+B/OjCSfZmjKpvv434xZEvEH8v
sTmT+W24NCa12W+3OclfnD1SXxsqx3/NlKFXhGV+CT3F/94fo1PEACsfIworftF3
JMfHLw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
</md:KeyDescriptor>
<md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.loc:5000/Shibboleth.sso/Artifact/SOAP" index="1"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.loc:5000/Shibboleth.sso/SLO/SOAP"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.loc:5000/Shibboleth.sso/SLO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.loc:5000/Shibboleth.sso/SLO/POST"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idp.loc:5000/Shibboleth.sso/SLO/Artifact"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.loc:5000/Shibboleth.sso/SAML2/POST" index="1"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.loc:5000/Shibboleth.sso/SAML2/POST-SimpleSign" index="2"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idp.loc:5000/Shibboleth.sso/SAML2/Artifact" index="3"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://idp.loc:5000/Shibboleth.sso/SAML2/ECP" index="4"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://idp.loc:5000/Shibboleth.sso/SAML/POST" index="5"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://idp.loc:5000/Shibboleth.sso/SAML/Artifact" index="6"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
--
Thomas
De : Marek Denis [marek.denis at cern.ch]
Envoyé : mardi 1 mars 2016 16:26
À : openstack at lists.openstack.org
Objet : Re: [Openstack] Keystone and identity federation
Hi,
On 01.03.2016 10:31,
thomas.duval at orange.com wrote:
<!--
p
{margin-top:0;
margin-bottom:0}
-->
BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}
Hello Everybody,
I try to configure identity federation between 2 Keystones and I have some difficulties. I mainly followed this guide
http://docs.openstack.org/developer/keystone/configure_federation.html and when I want to test the federated authentication on the Service Provider (GET /v3/OS-FEDERATION/identity_providers/master/protocols/saml2/auth), I have the following response :
Error 500
Unable to locate metadata for identity provider <http://idp/idp/shibboleth>
The only error in keystone.log is:
Unable to locate metadata for identity provider (http://idp/idp/shibboleth)
I have the following warning in shibd.log:
WARN Shibboleth.SessionInitiator.SAML2 [1]: unable to locate metadata for provider (http://idp/idp/shibboleth)
Here is the configuration of Shibboleth:
<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
clockSkew="180">
<ApplicationDefaults entityID="http://sp/shibboleth">
<Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
checkAddress="false" handlerSSL="false" cookieProps="http">
<SSO entityID="http://idp/idp/shibboleth" ECP="true">
SAML2 SAML1
</SSO>
<Logout>SAML2 Local</Logout>
<Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
<Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>
<Handler type="Session" Location="/Session" showAttributeValues="false"/>
<Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
</Sessions>
<Errors supportContact="root at localhost"
helpLocation="/about.html"
styleSheet="/shibboleth-sp/main.css"/>
<MetadataProvider type="XML" uri="http://192.168.52.10/Shibboleth.sso/Metadata"
backingFilePath="/var/cache/shibboleth/idp.xml" reloadInterval="7200">
</MetadataProvider>
What if you try to set IdP FQDN here instead of IP address?
Something like
http://idp/idp/Shibboleth.sso/Metadata
Also, make sure that this URI is reachable for your Service Provider
<MetadataProvider type="XML" file="IDP.xml"/>
<AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>
<AttributeResolver type="Query" subjectMatch="true"/>
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>
<ApplicationOverride id="master" entityID="http://idp/shibboleth">
<Sessions lifetime="28800" timeout="3600" checkAddress="false"
relayState="ss:mem" handlerSSL="false">
<SSO entityID="https://idp/idp/shibboleth" ECP="true">
SAML2 SAML1
</SSO>
<Logout>SAML2 Local</Logout>
</Sessions>
<MetadataProvider type="XML" uri="http://192.168.52.10/Shibboleth.sso/Metadata"
backingFilePath="/var/cache/shibboleth/idp.xml"
reloadInterval="180000" />
</ApplicationOverride>
I m not sure if you need this <ApplicationOverride> object.
</ApplicationDefaults>
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>
The
http://192.168.52.10/Shibboleth.sso/Metadata url is working and give me the metadata of the Identity Provider. The file
IDP.xml was retrieve from the same URL and put in the directory /etc/shibboleth.
Both OpenStack servers was installed from DevStack (branch stable/liberty) on Ubuntu trusty.
Does someone face the same problem?
Cheers.
--
Thomas
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Marek Denis
[marek.denis at cern.ch]
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
More information about the Openstack
mailing list