Query regarding SAML with keystone

asked 2015-02-27 04:22:36 -0500

akshik gravatar image

Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu 12.04 with Icehouse,

im following http://docs.openstack.org/developer/k...

when im trying to configure keystone with two idp,

when i access https://MYSERVER:5000/v3/OS-FEDERATIO...

it gets redirected to testshib.org , it prompts for username and password when the same is given im getting

shibsp::ConfigurationException at ( https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.

here is my shibboleth2.xml content

<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"    
    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
    clockSkew="180">

    <ApplicationDefaults entityID="https://MYSERVER:5000/Shibboleth">
        <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false">
            <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
                SAML2 SAML1
            </SSO>

            <Logout>SAML2 Local</Logout>

            <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
            <Handler type="Status" Location="/Status" />
            <Handler type="Session" Location="/Session" showAttributeValues="false"/>
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <Errors supportContact="root@localhost"
            logoLocation="/shibboleth-sp/logo.jpg"
            styleSheet="/shibboleth-sp/main.css"/>

        <AttributeExtractor type="XML" validate="true" path="attribute-map.xml"/>
        <AttributeResolver type="Query" subjectMatch="true"/>
        <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>
        <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>

        <ApplicationOverride id="idp_1" entityID="https://MYSERVER:5000/Shibboleth">

            <Sessions lifetime="28800" timeout="3600" checkAddress="false"
            relayState="ss:mem" handlerSSL="false">
                <SSO entityID="https://portal4.mss.internalidp.com/idp/shibboleth" ECP="true">
                    SAML2 SAML1
                </SSO>
                <Logout>SAML2 Local</Logout>
            </Sessions>

            <MetadataProvider type="XML" uri="https://portal4.mss.internalidp.com/idp/shibboleth"
             backingFilePath="/tmp/tata.xml" reloadInterval="180000" />
        </ApplicationOverride>

        <ApplicationOverride id="idp_2" entityID="https://MYSERVER:5000/Shibboleth">
            <Sessions lifetime="28800" timeout="3600" checkAddress="false"
            relayState="ss:mem" handlerSSL="false">
                <SSO entityID="https://idp.testshib.org/idp/shibboleth" ECP="true">
                    SAML2 SAML1
                </SSO>

                <Logout>SAML2 Local</Logout>
            </Sessions>

            <MetadataProvider type="XML" uri="https://idp.testshib.org/idp/shibboleth"  
            backingFilePath="/tmp/testshib.xml" reloadInterval="180000"/>
        </ApplicationOverride>
    </ApplicationDefaults>

    <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>
    <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>
</SPConfig>

here is my wsgi-keystone

WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin

<Location "/keystone">
# NSSRequireSSL
SSLRequireSSL
Authtype none
</Location>

<Location /Shibboleth.sso>
    SetHandler shib
</Location>

<Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
    ShibRequestSetting requireSession 1
    ShibRequestSetting applicationId idp_1
    AuthType shibboleth
    ShibRequireAll On
    ShibRequireSession On
    ShibExportAssertion Off
    Require valid-user
</Location>

<Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
    ShibRequestSetting requireSession 1
    ShibRequestSetting applicationId idp_2
    AuthType shibboleth
    ShibRequireAll On
    ShibRequireSession On
    ShibExportAssertion Off
    Require valid-user
</Location>
edit retag flag offensive close merge delete