Re: [openstack-dev] Need help in configuring keystone

[Akshik DBK]

Hi Marco, did you get a chance to look at the logs,
Regards,Akshik

From: aks...@outlook.com
To: openstack-dev@lists.openstack.org
Date: Fri, 27 Feb 2015 22:50:47 +0530
Subject: Re: [openstack-dev] Need help in configuring keystone




Hi Marco,
Thanks for responding, Ive cleared the log file and have restarted the shibd 
service.
the metadata file got created, i've attached the log file and metadata file as 
well.
Regards,Akshik

Date: Fri, 27 Feb 2015 15:12:39 +0100
From: marco.farge...@ct.infn.it
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] Need help in configuring keystone

Hi Akshik,
 
the metadata error is in your SP, if the error was on testshib you
should not be redirected back after the login. Maybe there is a configuration
problem with shibboleth. Try to restart the service and look at shibboleth logs.
Check also the metadata of testshib are downloaded correctly because from the 
error
it seems you have not the metadata of testshib.
 
Cheers,
Marco
 
On Fri, Feb 27, 2015 at 06:39:30PM +0530, Akshik DBK wrote:
> Hi Marek ,
> I've registered with testshib, this is my keystone-apache-error.log log i get 
> [error] [client 121.243.33.212] No MetadataProvider available., referer: 
> https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
> From: aks...@outlook.com
> To: openstack-dev@lists.openstack.org
> Date: Fri, 27 Feb 2015 15:56:57 +0530
> Subject: [openstack-dev] Need help in configuring keystone
> 
> 
> 
> 
> Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu 
> 12.04 with Icehouse,im following http://docs.openstack.org/developer/k...when 
> im trying to configure keystone with two idp,when i access 
> https://MYSERVER:5000/v3/OS-FEDERATIO...it gets redirected to testshib.org , 
> it prompts for username and password when the same is given im 
> gettingshibsp::ConfigurationException at ( 
> https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.here 
> is my shibboleth2.xml content<SPConfig 
> xmlns="urn:mace:shibboleth:2.0:native:sp:config"
>     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
>     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
>     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
>     xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
>     clockSkew="180">
> 
>     <ApplicationDefaults entityID="https://MYSERVER:5000/Shibboleth";>
>         <Sessions lifetime="28800" timeout="3600" checkAddress="false" 
> relayState="ss:mem" handlerSSL="false">
>             <SSO entityID="https://idp.testshib.org/idp/shibboleth"; 
> ECP="true">
>                 SAML2 SAML1
>             </SSO>
> 
>             <Logout>SAML2 Local</Logout>
> 
>             <Handler type="MetadataGenerator" Location="/Metadata" 
> signing="false"/>
>             <Handler type="Status" Location="/Status" />
>             <Handler type="Session" Location="/Session" 
> showAttributeValues="false"/>
>             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
>         </Sessions>
> 
>         <Errors supportContact="root@localhost"
>             logoLocation="/shibboleth-sp/logo.jpg"
>             styleSheet="/shibboleth-sp/main.css"/>
> 
>         <AttributeExtractor type="XML" validate="true" 
> path="attribute-map.xml"/>
>         <AttributeResolver type="Query" subjectMatch="true"/>
>         <AttributeFilter type="XML" validate="true" 
> path="attribute-policy.xml"/>
>         <CredentialResolver type="File" key="sp-key.pem" 
> certificate="sp-cert.pem"/>
> 
>         <ApplicationOverride id="idp_1" 
> entityID="https://MYSERVER:5000/Shibboleth";>
> 
>             <Sessions lifetime="28800" timeout="3600" checkAddress="false"
>             relayState="ss:mem" handlerSSL="false">
>                 <SSO 
> entityID="https://portal4.mss.internalidp.com/idp/shibboleth"; ECP="true">
>                     SAML2 SAML1
>                 </SSO>
>                 <Logout>SAML2 Local</Logout>
>             </Sessions>
> 
>             <MetadataProvider type="XML" 
> uri="https://portal4.mss.internalidp.com/idp/shibboleth";
>              backingFilePath="/tmp/tata.xml" reloadInterval="180000" />
>         </ApplicationOverride>
> 
>         <ApplicationOverride id="idp_2" 
> entityID="https://MYSERVER:5000/Shibboleth";>
>             <Sessions lifetime="28800" timeout="3600" checkAddress="false"
>             relayState="ss:mem" handlerSSL="false">
>                 <SSO entityID="https://idp.testshib.org/idp/shibboleth"; 
> ECP="true">
>                     SAML2 SAML1
>                 </SSO>
> 
>                 <Logout>SAML2 Local</Logout>
>             </Sessions>
> 
>             <MetadataProvider type="XML" 
> uri="https://idp.testshib.org/idp/shibboleth";  
>             backingFilePath="/tmp/testshib.xml" reloadInterval="180000"/>
>         </ApplicationOverride>
>     </ApplicationDefaults>
> 
>     <SecurityPolicyProvider type="XML" validate="true" 
> path="security-policy.xml"/>
>     <ProtocolProvider type="XML" validate="true" reloadChanges="false" 
> path="protocols.xml"/>
> </SPConfig>here is my wsgi-keystoneWSGIScriptAlias /keystone/main  
> /var/www/cgi-bin/keystone/main
> WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
> 
> <Location "/keystone">
> # NSSRequireSSL
> SSLRequireSSL
> Authtype none
> </Location>
> 
> <Location /Shibboleth.sso>
>     SetHandler shib
> </Location>
> 
> <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
>     ShibRequestSetting requireSession 1
>     ShibRequestSetting applicationId idp_1
>     AuthType shibboleth
>     ShibRequireAll On
>     ShibRequireSession On
>     ShibExportAssertion Off
>     Require valid-user
> </Location>
> 
> <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
>     ShibRequestSetting requireSession 1
>     ShibRequestSetting applicationId idp_2
>     AuthType shibboleth
>     ShibRequireAll On
>     ShibRequireSession On
>     ShibExportAssertion Off
>     Require valid-user
> </Location>                                     
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev             
>                           
 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 
 
 

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev               
                          

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
                                          
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev