Hi Marek, I tried with the auto-generated shibboleth2.xml, just added the application override attribute, now im stuck with looping issue, when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth for the first time it is prompting for username and password once provided it goes on loop. i could see session generated https://115.112.68.53:5000/Shibboleth.sso/SessionMiscellaneous Client Address: 121.243.33.212 Identity Provider: https://idp.testshib.org/idp/shibboleth SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol Authentication Time: 2015-03-04T06:44:41.625Z Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Authentication Context Decl: (none) Session Expiration (barring inactivity): 479 minute(s)
Attributes affiliation: [email protected];[email protected] entitlement: urn:mace:dir:entitlement:common-lib-terms eppn: [email protected] persistent-id: https://idp.testshib.org/idp/shibboleth!https://115.112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM= unscoped-affiliation: Member;Staffhere are my config files,<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800"> <ApplicationDefaults entityID="https://115.112.68.53/shibboleth"; REMOTE_USER="eppn"> <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" handlerSSL="true" cookieProps="; path=/; secure"> <SSO entityID="https://idp.testshib.org/idp/shibboleth";> SAML2 SAML1 </SSO> <Logout>SAML2 Local</Logout> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> <Handler type="Status" Location="/Status"/> <Handler type="Session" Location="/Session" showAttributeValues="true"/> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> </Sessions> <Errors supportContact="root@localhost" logoLocation="/shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> <MetadataProvider type="XML" uri="https://www.testshib.org/metadata/testshib-providers.xml"; backingFilePath="/tmp/testshib-two-idp-metadata.xml" reloadInterval="180000" /> <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/> <AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/> <ApplicationOverride id="idp_2" entityID="https://115.112.68.53/shibboleth";> <!--Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false"--> <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="true" cookieProps="; path=/; secure"> <!-- Triggers a login request directly to the TestShib IdP. --> <SSO entityID="https://idp.testshib.org/idp/shibboleth"; ECP="true"> SAML2 SAML1 </SSO> <Logout>SAML2 Local</Logout> </Sessions> <MetadataProvider type="XML" uri="https://www.testshib.org/metadata/testshib-providers.xml"; backingFilePath="/tmp/testshib-two-idp-metadata.xml" reloadInterval="180000" /> </ApplicationOverride> </ApplicationDefaults> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/></SPConfig> keystone-httpdWSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10#WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/keystone/main/$1WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1 <VirtualHost *:5000> LogLevel info ErrorLog /var/log/keystone/keystone-apache-error.log CustomLog /var/log/keystone/ssl_access.log combined Options +FollowSymLinks SSLEngine on #SSLCertificateFile /etc/ssl/certs/mycert.pem #SSLCertificateKeyFile /etc/ssl/private/mycert.key SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key SSLVerifyClient optional SSLVerifyDepth 10 SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLOptions +StdEnvVars +ExportCertData WSGIScriptAlias / /var/www/cgi-bin/keystone/main WSGIProcessGroup keystone</VirtualHost> <VirtualHost *:35357> LogLevel info ErrorLog /var/log/keystone/keystone-apache-error.log CustomLog /var/log/keystone/ssl_access.log combined Options +FollowSymLinks SSLEngine on SSLEngine on #SSLCertificateFile /etc/ssl/certs/mycert.pem #SSLCertificateKeyFile /etc/ssl/private/mycert.key SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key SSLVerifyClient optional SSLVerifyDepth 10 SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLOptions +StdEnvVars +ExportCertData WSGIScriptAlias / /var/www/cgi-bin/keystone/admin WSGIProcessGroup keystone</VirtualHost> wsgi-keystoneWSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/mainWSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin <Location "/keystone"># NSSRequireSSLSSLRequireSSLAuthtype none</Location> <Location /Shibboleth.sso># SetHandler shib Require all granted</Location> <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth> ShibRequestSetting requireSession 1 ShibRequestSetting applicationId idp_1 AuthType shibboleth ShibRequireAll On ShibRequireSession On ShibExportAssertion Off Require valid-user</Location> <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth> ShibRequestSetting requireSession 1 ShibRequestSetting applicationId idp_2 AuthType shibboleth ShibRequireAll On ShibRequireSession On ShibExportAssertion Off Require valid-user</Location> Regards,Akshik > Date: Mon, 2 Mar 2015 12:03:18 +0100 > From: [email protected] > To: [email protected] > Subject: Re: [openstack-dev] Need help in configuring keystone > > Akshik, > > When you are beginning an adventure with saml, shibboleth and so on, > it's helpful to start with fetching auto-generated shibboleth2.xml file > from testshib.org . This should cover most of your use-cases, at least > in the testing environment. > > Marek > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
