Hi Akshik,

Did you upload your Metadata file to the testshib server?
You are advised to follow steps starting from here: http://testshib.org/register.html

For the record, Keystone will act here as a Service Provider, so you need to follow testhib docs/tutorials for setting your SP (Service Provider)

Let me know if that was your issue.
If not, a more detailed steps of how your configured your Keystone acting as a Service Provider would be more helpful.

Marek Denis

On 27.02.2015 11:26, Akshik DBK wrote:

Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu 12.04 with Icehouse,

im following http://docs.openstack.org/developer/k... <http://docs.openstack.org/developer/keystone/extensions/shibboleth.html>

when im trying to configure keystone with two idp,

when i access https://MYSERVER:5000/v3/OS-FEDERATIO... <https://myserver:5000/v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>

it gets redirected to testshib.org <http://testshib.org/> , it prompts for username and password when the same is given im getting

*shibsp::ConfigurationException at ( https://MYSERVER:5000/Shibboleth.sso/... <https://myserver:5000/Shibboleth.sso/SAML2/POST> ) No MetadataProvider available.*

here is my shibboleth2.xml content

|<SPConfig  xmlns="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
     clockSkew="180">

     <ApplicationDefaults  entityID="https://MYSERVER:5000/Shibboleth";>
         <Sessions  lifetime="28800"  timeout="3600"  checkAddress="false"  
relayState="ss:mem"  handlerSSL="false">
             <SSO  entityID="https://idp.testshib.org/idp/shibboleth";  
ECP="true">
                 SAML2 SAML1
             </SSO>

             <Logout>SAML2 Local</Logout>

             <Handler  type="MetadataGenerator"  Location="/Metadata"  
signing="false"/>
             <Handler  type="Status"  Location="/Status"  />
             <Handler  type="Session"  Location="/Session"  
showAttributeValues="false"/>
             <Handler  type="DiscoveryFeed"  Location="/DiscoFeed"/>
         </Sessions>

         <Errors  supportContact="root@localhost"
             logoLocation="/shibboleth-sp/logo.jpg"
             styleSheet="/shibboleth-sp/main.css"/>

         <AttributeExtractor  type="XML"  validate="true"  
path="attribute-map.xml"/>
         <AttributeResolver  type="Query"  subjectMatch="true"/>
         <AttributeFilter  type="XML"  validate="true"  
path="attribute-policy.xml"/>
         <CredentialResolver  type="File"  key="sp-key.pem"  
certificate="sp-cert.pem"/>

         <ApplicationOverride  id="idp_1"  
entityID="https://MYSERVER:5000/Shibboleth";>

             <Sessions  lifetime="28800"  timeout="3600"  checkAddress="false"
             relayState="ss:mem"  handlerSSL="false">
                 <SSO  entityID="https://portal4.mss.internalidp.com/idp/shibboleth";  
ECP="true">
                     SAML2 SAML1
                 </SSO>
                 <Logout>SAML2 Local</Logout>
             </Sessions>

             <MetadataProvider  type="XML"  
uri="https://portal4.mss.internalidp.com/idp/shibboleth";
              backingFilePath="/tmp/tata.xml"  reloadInterval="180000"  />
         </ApplicationOverride>

         <ApplicationOverride  id="idp_2"  
entityID="https://MYSERVER:5000/Shibboleth";>
             <Sessions  lifetime="28800"  timeout="3600"  checkAddress="false"
             relayState="ss:mem"  handlerSSL="false">
                 <SSO  entityID="https://idp.testshib.org/idp/shibboleth";  
ECP="true">
                     SAML2 SAML1
                 </SSO>

                 <Logout>SAML2 Local</Logout>
             </Sessions>

<MetadataProvider type="XML" uri="https://idp.testshib.org/idp/shibboleth"; backingFilePath="/tmp/testshib.xml" reloadInterval="180000"/>
         </ApplicationOverride>
     </ApplicationDefaults>

     <SecurityPolicyProvider  type="XML"  validate="true"  
path="security-policy.xml"/>
     <ProtocolProvider  type="XML"  validate="true"  reloadChanges="false"  
path="protocols.xml"/>
</SPConfig>|

here is my wsgi-keystone

|WSGIScriptAlias  /keystone/main/var/www/cgi-bin/keystone/main
WSGIScriptAlias  /keystone/admin/var/www/cgi-bin/keystone/admin

<Location  "/keystone">
# NSSRequireSSL
SSLRequireSSL
Authtype  none
</Location>

<Location /Shibboleth.sso>
     SetHandler  shib
</Location>

<Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
     ShibRequestSetting  requireSession1
     ShibRequestSetting  applicationId idp_1
     AuthType  shibboleth
     ShibRequireAll  On
     ShibRequireSession  On
     ShibExportAssertion  Off
     Require  valid-user
</Location>

<Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
     ShibRequestSetting  requireSession1
     ShibRequestSetting  applicationId idp_2
     AuthType  shibboleth
     ShibRequireAll  On
     ShibRequireSession  On
     ShibExportAssertion  Off
     Require  valid-user
</Location>|


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to