Ask Your Question
1

Using keystone as a SAML service provider.

asked 2014-05-28 21:17:57 -0600

lihkin gravatar image

I have followed all the instructions for configuring keystone as SAML service provider. 1. It is running on apache httpd 2. mod_shib and mod_wsgi are configured. 3. OS-FEDERATION is enabled 4. Created the identity provider, protocol and mappings. 5. exchanged SAML metadata with http://testshib.org IdP for testing it out

When I go to /v3/OS-FEDERATION/identity_providers/TestShib/protocols/SAML2/auth I get redirected correctly to http://testshib.org login page. After I login I am redirected back but get an error message

**2014-05-28 15:54:43.567 385 WARNING keystone.common.wsgi [-] Authorization failed. Unable to lookup user myself@testshib.org from 192.168.100.1
myself@testshib.org is the userid I am logging in as on the IdP.
Here are the logs from keystone logs
2014-05-28 15:54:43.372 385 DEBUG mod_wsgi [-] token.revocation_cache_time    = 3600 log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1949
2014-05-28 15:54:43.373 385 DEBUG mod_wsgi [-] token.revoke_by_id             = True log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1949
2014-05-28 15:54:43.373 385 DEBUG mod_wsgi [-] ******************************************************************************** log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/cfg.py:1951
2014-05-28 15:54:43.509 385 WARNING keystone.openstack.common.versionutils [-] Deprecated: keystone.middleware.core.XmlBodyMiddleware is deprecated as of Icehouse in favor of support for "application/json" only and may be removed in K.
2014-05-28 15:54:43.534 385 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/dist-packages/keystone/middleware/core.py:271
2014-05-28 15:54:43.544 385 DEBUG keystone.common.wsgi [-] arg_dict: {'identity_provider': u'TestShib', 'protocol': u'saml2'} __call__ /usr/lib/python2.7/dist-packages/keystone/common/wsgi.py:181
2014-05-28 15:54:43.555 385 DEBUG keystone.openstack.common.db.sqlalchemy.session [-] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _mysql_check_effective_sql_mode /usr/lib/python2.7/dist-packages/keystone/openstack/common/db/sqlalchemy/session.py:562
2014-05-28 15:54:43.567 385 WARNING keystone.common.wsgi [-] Authorization failed. Unable to lookup user myself@testshib.org from 192.168.100.1**

Looking at the logs it looks like wsgi is not invoking the Saml2 module. Has anyone tried this before and any hints would be appreciated.

edit retag flag offensive close merge delete

Comments

What documentation did you use for creating the identity provider? I'm trying to do something similar but not finding a whole lot.

morganbird gravatar imagemorganbird ( 2014-08-07 11:02:03 -0600 )edit

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-10-12 19:24:07 -0600

rem gravatar image

Hi. Can you please provide the configuration files as well as your attribute mapping file.

My current status:

When I try to fetch the token using curl -X GET -D - https....hostname:5000/v3/OS-FEDERATION/identity_providers/testshib/protocols/saml2/auth

I get the following error "Could not find identity provider identifier in the environment", "code":400, "title": "Bad Request"

edit flag offensive delete link more
0

answered 2014-05-28 22:14:07 -0600

Just trying to rule out the obvious, did you follow the steps here too: http://docs.openstack.org/developer/keystone/extensions/federation.html (http://docs.openstack.org/developer/k...) (specifically 2 and 4).

edit flag offensive delete link more

Comments

Yes. This was done. I will post my configuration files once I get into work tomorrow

lihkin gravatar imagelihkin ( 2014-05-28 22:51:02 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-05-28 21:17:57 -0600

Seen: 388 times

Last updated: Oct 12 '15