Hi Steve, here are the log details ==> /var/log/shibboleth/shibd.log <==2015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.12015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.32015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.202015-03-04 14:36:05 INFO Shibboleth.SessionCache [2]: new session created: ID (_ee18a916d4e7e7adbc34f55c010695a4) IdP (https://idp.testshib.org/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212) ==> /var/log/keystone/keystone-apache-error.log <==[Wed Mar 04 14:36:05 2015] [info] Subsequent (No.8) HTTPS request received for child 7 (server 10.1.193.250:5000)[Wed Mar 04 14:36:09 2015] [info] Subsequent (No.9) HTTPS request received for child 7 (server 10.1.193.250:5000) ==> /var/log/shibboleth/shibd.log <==2015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.12015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.32015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.202015-03-04 14:36:09 INFO Shibboleth.SessionCache [2]: new session created: ID (_10d6c414a9f198b6601b5d4f36a9057a) IdP (https://idp.testshib.org/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212) ==> /var/log/keystone/keystone-apache-error.log <==[Wed Mar 04 14:36:09 2015] [info] Subsequent (No.10) HTTPS request received for child 7 (server 10.1.193.250:5000)[Wed Mar 04 14:36:14 2015] [info] [client 121.243.33.212] (70007)The timeout specified has expired: SSL input filter read failed.[Wed Mar 04 14:36:14 2015] [info] [client 121.243.33.212] Connection closed to child 7 with standard shutdown (server 10.1.193.250:5000)
To: [email protected] From: [email protected] Date: Wed, 4 Mar 2015 03:04:52 -0500 Subject: Re: [openstack-dev] Need help in configuring keystone What do the keystone logs indicate? Steve Akshik DBK <[email protected]> wrote on 03/04/2015 02:18:47 AM: > From: Akshik DBK <[email protected]> > To: OpenStack Development Mailing List not for usage questions > <[email protected]> > Date: 03/04/2015 02:25 AM > Subject: Re: [openstack-dev] Need help in configuring keystone > > Hi Marek, > > I tried with the auto-generated shibboleth2.xml, just added the > application override attribute, now im stuck with looping issue, > > when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/ > saml2/auth for the first time it is prompting for username and > password once provided it goes on loop. > > i could see session generated https://115.112.68.53:5000/ > Shibboleth.sso/Session > Miscellaneous > Client Address: 121.243.33.212 > Identity Provider: https://idp.testshib.org/idp/shibboleth > SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol > Authentication Time: 2015-03-04T06:44:41.625Z > Authentication Context Class: urn:oasis:names:tc:SAML:2. > 0:ac:classes:PasswordProtectedTransport > Authentication Context Decl: (none) > Session Expiration (barring inactivity): 479 minute(s) > > Attributes > affiliation: [email protected];[email protected] > entitlement: urn:mace:dir:entitlement:common-lib-terms > eppn: [email protected] > persistent-id: https://idp.testshib.org/idp/shibboleth!https://115. > 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM= > unscoped-affiliation: Member;Staff > here are my config files, > <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" > xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800"> > <ApplicationDefaults entityID="https://115.112.68.53/shibboleth"; > REMOTE_USER="eppn"> > <Sessions lifetime="28800" timeout="3600" > checkAddress="false" relayState="ss:mem" handlerSSL="true" > handlerSSL="true" cookieProps="; path=/; secure"> > > <SSO entityID="https://idp.testshib.org/idp/shibboleth";> > SAML2 SAML1 > </SSO> > > <Logout>SAML2 Local</Logout> > > <Handler type="MetadataGenerator" Location="/Metadata" > signing="false"/> > <Handler type="Status" Location="/Status"/> > <Handler type="Session" Location="/Session" > showAttributeValues="true"/> > <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> > </Sessions> > > <Errors supportContact="root@localhost" logoLocation="/ > shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> > <MetadataProvider type="XML" uri="https://www.testshib.org/ > metadata/testshib-providers.xml" > backingFilePath="/tmp/testshib-two-idp-metadata.xml" > reloadInterval="180000" /> > <AttributeExtractor type="XML" validate="true" > path="attribute-map.xml"/> > <AttributeResolver type="Query" subjectMatch="true"/> > <AttributeFilter type="XML" validate="true" path="attribute- > policy.xml"/> > <CredentialResolver type="File" key="sp-key.pem" > certificate="sp-cert.pem"/> > <ApplicationOverride id="idp_2" entityID="https://115.112. > 68.53/shibboleth"> > <!--Sessions lifetime="28800" timeout="3600" checkAddress="false" > relayState="ss:mem" handlerSSL="false"--> > <Sessions lifetime="28800" timeout="3600" checkAddress="false" > relayState="ss:mem" handlerSSL="true" cookieProps="; > path=/; secure"> > > <!-- Triggers a login request directly to the TestShib IdP. --> > <SSO entityID="https://idp.testshib.org/idp/shibboleth"; > ECP="true"> > SAML2 SAML1 > </SSO> > <Logout>SAML2 Local</Logout> > </Sessions> > <MetadataProvider type="XML" uri="https:// > www.testshib.org/metadata/testshib-providers.xml" > backingFilePath="/tmp/testshib-two-idp-metadata.xml" > reloadInterval="180000" /> > </ApplicationOverride> > </ApplicationDefaults> > <SecurityPolicyProvider type="XML" validate="true" > path="security-policy.xml"/> > <ProtocolProvider type="XML" validate="true" > reloadChanges="false" path="protocols.xml"/> > </SPConfig> > > keystone-httpd > WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10 > #WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/ > protocols/.*?/auth)$ /var/www/keystone/main/$1 > WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/ > protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1 > > <VirtualHost *:5000> > LogLevel info > ErrorLog /var/log/keystone/keystone-apache-error.log > CustomLog /var/log/keystone/ssl_access.log combined > Options +FollowSymLinks > > SSLEngine on > #SSLCertificateFile /etc/ssl/certs/mycert.pem > #SSLCertificateKeyFile /etc/ssl/private/mycert.key > SSLCertificateFile /etc/apache2/ssl/server.crt > SSLCertificateKeyFile /etc/apache2/ssl/server.key > SSLVerifyClient optional > SSLVerifyDepth 10 > SSLProtocol all -SSLv2 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > SSLOptions +StdEnvVars +ExportCertData > > WSGIScriptAlias / /var/www/cgi-bin/keystone/main > WSGIProcessGroup keystone > </VirtualHost> > > <VirtualHost *:35357> > LogLevel info > ErrorLog /var/log/keystone/keystone-apache-error.log > CustomLog /var/log/keystone/ssl_access.log combined > Options +FollowSymLinks > > SSLEngine on > > SSLEngine on > #SSLCertificateFile /etc/ssl/certs/mycert.pem > #SSLCertificateKeyFile /etc/ssl/private/mycert.key > SSLCertificateFile /etc/apache2/ssl/server.crt > SSLCertificateKeyFile /etc/apache2/ssl/server.key > SSLVerifyClient optional > SSLVerifyDepth 10 > SSLProtocol all -SSLv2 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > SSLOptions +StdEnvVars +ExportCertData > > WSGIScriptAlias / /var/www/cgi-bin/keystone/admin > WSGIProcessGroup keystone > </VirtualHost> > > wsgi-keystone > WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main > WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin > > <Location "/keystone"> > # NSSRequireSSL > SSLRequireSSL > Authtype none > </Location> > > <Location /Shibboleth.sso> > # SetHandler shib > Require all granted > </Location> > > <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth> > ShibRequestSetting requireSession 1 > ShibRequestSetting applicationId idp_1 > AuthType shibboleth > ShibRequireAll On > ShibRequireSession On > ShibExportAssertion Off > Require valid-user > </Location> > > <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth> > ShibRequestSetting requireSession 1 > ShibRequestSetting applicationId idp_2 > AuthType shibboleth > ShibRequireAll On > ShibRequireSession On > ShibExportAssertion Off > Require valid-user > </Location> > > Regards, > Akshik > > > Date: Mon, 2 Mar 2015 12:03:18 +0100 > > From: [email protected] > > To: [email protected] > > Subject: Re: [openstack-dev] Need help in configuring keystone > > > > Akshik, > > > > When you are beginning an adventure with saml, shibboleth and so on, > > it's helpful to start with fetching auto-generated shibboleth2.xml file > > from testshib.org . This should cover most of your use-cases, at least > > in the testing environment. > > > > Marek > > > > > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: [email protected]?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
