Re: [openstack-dev] Need help in configuring keystone

Fri, 27 Feb 2015 02:44:59 -0800 

Hi Akshik,

Did you upload your Metadata file to the testshib server?
You are advised to follow steps starting from here: http://testshib.org/register.html 


For the record, Keystone will act here as a Service Provider,  so you 
need to follow testhib docs/tutorials for setting your SP (Service Provider)


Let me know if that was your issue.

If not, a more detailed steps of how your configured your Keystone 
acting as a Service Provider would be more helpful.


Marek Denis

On 27.02.2015 11:26, Akshik DBK wrote:



Hi I'm new to SAML, trying to integrate keystone with SAML, Im using 
Ubuntu 12.04 with Icehouse,



im following http://docs.openstack.org/developer/k... 
<http://docs.openstack.org/developer/keystone/extensions/shibboleth.html>


when im trying to configure keystone with two idp,


when i access https://MYSERVER:5000/v3/OS-FEDERATIO... 
<https://myserver:5000/v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>



it gets redirected to testshib.org <http://testshib.org/> , it prompts 
for username and password when the same is given im getting



*shibsp::ConfigurationException at ( 
https://MYSERVER:5000/Shibboleth.sso/... 
<https://myserver:5000/Shibboleth.sso/SAML2/POST> ) No 
MetadataProvider available.*


here is my shibboleth2.xml content

|<SPConfig  xmlns="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"

     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"     
     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"

     clockSkew="180">

     <ApplicationDefaults  entityID="https://MYSERVER:5000/Shibboleth";>
         <Sessions  lifetime="28800"  timeout="3600"  checkAddress="false"  
relayState="ss:mem"  handlerSSL="false">
             <SSO  entityID="https://idp.testshib.org/idp/shibboleth";  
ECP="true">
                 SAML2 SAML1
             </SSO>

             <Logout>SAML2 Local</Logout>

             <Handler  type="MetadataGenerator"  Location="/Metadata"  
signing="false"/>
             <Handler  type="Status"  Location="/Status"  />
             <Handler  type="Session"  Location="/Session"  
showAttributeValues="false"/>
             <Handler  type="DiscoveryFeed"  Location="/DiscoFeed"/>
         </Sessions>

         <Errors  supportContact="root@localhost"
             logoLocation="/shibboleth-sp/logo.jpg"
             styleSheet="/shibboleth-sp/main.css"/>

         <AttributeExtractor  type="XML"  validate="true"  
path="attribute-map.xml"/>
         <AttributeResolver  type="Query"  subjectMatch="true"/>
         <AttributeFilter  type="XML"  validate="true"  
path="attribute-policy.xml"/>
         <CredentialResolver  type="File"  key="sp-key.pem"  
certificate="sp-cert.pem"/>

         <ApplicationOverride  id="idp_1"  
entityID="https://MYSERVER:5000/Shibboleth";>

             <Sessions  lifetime="28800"  timeout="3600"  checkAddress="false"
             relayState="ss:mem"  handlerSSL="false">
                 <SSO  entityID="https://portal4.mss.internalidp.com/idp/shibboleth";  
ECP="true">
                     SAML2 SAML1
                 </SSO>
                 <Logout>SAML2 Local</Logout>
             </Sessions>

             <MetadataProvider  type="XML"  
uri="https://portal4.mss.internalidp.com/idp/shibboleth";
              backingFilePath="/tmp/tata.xml"  reloadInterval="180000"  />
         </ApplicationOverride>

         <ApplicationOverride  id="idp_2"  
entityID="https://MYSERVER:5000/Shibboleth";>
             <Sessions  lifetime="28800"  timeout="3600"  checkAddress="false"
             relayState="ss:mem"  handlerSSL="false">
                 <SSO  entityID="https://idp.testshib.org/idp/shibboleth";  
ECP="true">
                     SAML2 SAML1
                 </SSO>

                 <Logout>SAML2 Local</Logout>
             </Sessions>


             <MetadataProvider  type="XML"  uri="https://idp.testshib.org/idp/shibboleth";   
             backingFilePath="/tmp/testshib.xml"  reloadInterval="180000"/>

         </ApplicationOverride>
     </ApplicationDefaults>

     <SecurityPolicyProvider  type="XML"  validate="true"  
path="security-policy.xml"/>
     <ProtocolProvider  type="XML"  validate="true"  reloadChanges="false"  
path="protocols.xml"/>
</SPConfig>|

here is my wsgi-keystone

|WSGIScriptAlias  /keystone/main/var/www/cgi-bin/keystone/main
WSGIScriptAlias  /keystone/admin/var/www/cgi-bin/keystone/admin

<Location  "/keystone">
# NSSRequireSSL
SSLRequireSSL
Authtype  none
</Location>

<Location /Shibboleth.sso>
     SetHandler  shib
</Location>

<Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
     ShibRequestSetting  requireSession1
     ShibRequestSetting  applicationId idp_1
     AuthType  shibboleth
     ShibRequireAll  On
     ShibRequireSession  On
     ShibExportAssertion  Off
     Require  valid-user
</Location>

<Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
     ShibRequestSetting  requireSession1
     ShibRequestSetting  applicationId idp_2
     AuthType  shibboleth
     ShibRequireAll  On
     ShibRequireSession  On
     ShibExportAssertion  Off
     Require  valid-user
</Location>|


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to