Ask Your Question

SAML problems with Keystone-to-Keystone federation

asked 2016-08-30 11:18:16 -0500

george g gravatar image

I installed two OpenStack nodes to try federated login following the guide at (

os1 is the Keystone Identity Provider (keystone-idp) os2 is the Keystone Service Provider (keystone.sp)

Now, I would like to login at keystone.sp using a login on keystone-idp. Following the latest blog at (, I do this with the cli client by issuing the following command (environment: only OS_IDENTITY_API_VERSION=3):

openstack --os-auth-type v3unscopedsaml --os-identity-provider keystone-idp --os-identity-provider-url http://os1:5000/v3/auth/OS-FEDERATION/saml2/ecp --os-username admin --os-password *** --os-project-name admin --os-project-domain-name Default --os-auth-url http://os2:5000/v3 --os-protocol saml2 --debug -v

which gives me a shell on which I enter:

token issue

This is supposed to start the SAML authn workflow which I can also confirm by the debug output:

command: token issue -> openstackclient.identity.v3.token.IssueToken
Auth plugin v3unscopedsaml selected
auth_type: v3unscopedsaml
Using auth plugin: v3unscopedsaml
Using parameters {'username': 'admin', 'identity_provider_url': 'http://os1:5000/v3/auth/OS-FEDERATION/saml2/ecp', 'project_name': 'admin', 'auth_url': 'http://os2:5000/v3', 'identity_provider': 'keystone-idp', 'password': '***', 'project_domain_name': 'Default'}
Get auth_ref
REQ: curl -g -i -X GET http://o2:5000/v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth -H "PAOS: ver="urn:liberty:paos:2003-08";"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"" -H "Accept: text/html, application/vnd.paos+xml" -H "User-Agent: python-openstackclient keystoneauth1/2.9.0 python-requests/2.10.0 CPython/2.7.12"
Starting new HTTP connection (1): os2
"GET /v3/OS-FEDERATION/identity_providers/keystone-idp/protocols/saml2/auth HTTP/1.1" 200 1678
RESP: [200] Date: Tue, 30 Aug 2016 15:45:09 GMT Server: Apache/2.4.18 (Ubuntu) Expires: 01-Jan-1997 12:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, private Pragma: no-cache Content-Length: 1678 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/vnd.paos+xml 
RESP BODY: <S:Envelope xmlns:S=""><S:Header><paos:Request xmlns:paos="urn:liberty:paos:2003-08" S:actor="" S:mustUnderstand="1" responseConsumerURL="http://os2:5000/Shibboleth.sso/SAML2/ECP" service="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp"/><ecp:Request xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" IsPassive="0" S:actor="" S:mustUnderstand="1"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://os2:5000/Shibboleth.sso</saml:Issuer><samlp:IDPList xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:IDPEntry ProviderID="http://os1:5000/v3/OS-FEDERATION/saml2/idp"/></samlp:IDPList></ecp:Request><ecp:RelayState xmlns:ecp="urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp" S:actor="" S:mustUnderstand="1">ss:mem:910bc9530fd3cc11aa66b7b3b2c036fd3f647fbb2f3304948768e65db22f4b43</ecp:RelayState></S:Header><S:Body><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://os2:5000/Shibboleth.sso/SAML2/ECP" ID="_d4f2c9532655b5eda7b6dcaf75000459" IssueInstant="2016-08-30T15:45:09Z" ProtocolBinding="urn:oasis:names:tc:SAML:2 ...
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2016-08-31 10:53:59 -0500

george g gravatar image

updated 2016-08-31 10:54:33 -0500

I found some kind of solution/explanation: Apparently Keystone as an IdP does not understand/accept SAML requests, but only provides the following work flow:

  1. Login to IdP using password
  2. Use token received to request a SAML assertion via /v3/auth/OS-FEDERATION/saml2/ecp providing the TOKEN
  3. Use this assertion with the SP to get unscoped local token
  4. Use unscoped local token to request service catalog and scoped token(s) on SP

I got this information from this article: ( which also provides a script to automate this workflow: (

Still, if I overlooked something on how to enable K2K-Federation using only the openstack client please let me know. Also, if someone could confirm my findings, I would be happy to know. Thanks!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-08-30 11:18:16 -0500

Seen: 265 times

Last updated: Aug 31 '16