Using keystone as a SAML service provider.

asked 2014-05-28 21:17:57 -0500

lihkin gravatar image

I have followed all the instructions for configuring keystone as SAML service provider. 1. It is running on apache httpd 2. mod_shib and mod_wsgi are configured. 3. OS-FEDERATION is enabled 4. Created the identity provider, protocol and mappings. 5. exchanged SAML metadata with IdP for testing it out

When I go to /v3/OS-FEDERATION/identity_providers/TestShib/protocols/SAML2/auth I get redirected correctly to login page. After I login I am redirected back but get an error message

**2014-05-28 15:54:43.567 385 WARNING keystone.common.wsgi [-] Authorization failed. Unable to lookup user from is the userid I am logging in as on the IdP.
Here are the logs from keystone logs
2014-05-28 15:54:43.372 385 DEBUG mod_wsgi [-] token.revocation_cache_time    = 3600 log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/
2014-05-28 15:54:43.373 385 DEBUG mod_wsgi [-] token.revoke_by_id             = True log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/
2014-05-28 15:54:43.373 385 DEBUG mod_wsgi [-] ******************************************************************************** log_opt_values /usr/lib/python2.7/dist-packages/oslo/config/
2014-05-28 15:54:43.509 385 WARNING keystone.openstack.common.versionutils [-] Deprecated: keystone.middleware.core.XmlBodyMiddleware is deprecated as of Icehouse in favor of support for "application/json" only and may be removed in K.
2014-05-28 15:54:43.534 385 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/dist-packages/keystone/middleware/
2014-05-28 15:54:43.544 385 DEBUG keystone.common.wsgi [-] arg_dict: {'identity_provider': u'TestShib', 'protocol': u'saml2'} __call__ /usr/lib/python2.7/dist-packages/keystone/common/
2014-05-28 15:54:43.555 385 DEBUG keystone.openstack.common.db.sqlalchemy.session [-] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _mysql_check_effective_sql_mode /usr/lib/python2.7/dist-packages/keystone/openstack/common/db/sqlalchemy/
2014-05-28 15:54:43.567 385 WARNING keystone.common.wsgi [-] Authorization failed. Unable to lookup user from**

Looking at the logs it looks like wsgi is not invoking the Saml2 module. Has anyone tried this before and any hints would be appreciated.

edit retag flag offensive close merge delete


What documentation did you use for creating the identity provider? I'm trying to do something similar but not finding a whole lot.

morganbird gravatar imagemorganbird ( 2014-08-07 11:02:03 -0500 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2015-10-12 19:24:07 -0500

rem gravatar image

Hi. Can you please provide the configuration files as well as your attribute mapping file.

My current status:

When I try to fetch the token using curl -X GET -D - https....hostname:5000/v3/OS-FEDERATION/identity_providers/testshib/protocols/saml2/auth

I get the following error "Could not find identity provider identifier in the environment", "code":400, "title": "Bad Request"

edit flag offensive delete link more

answered 2014-05-28 22:14:07 -0500

Just trying to rule out the obvious, did you follow the steps here too: ( (specifically 2 and 4).

edit flag offensive delete link more


Yes. This was done. I will post my configuration files once I get into work tomorrow

lihkin gravatar imagelihkin ( 2014-05-28 22:51:02 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-05-28 21:17:57 -0500

Seen: 416 times

Last updated: Oct 12 '15