What do the keystone logs indicate? Steve
Akshik DBK <[email protected]> wrote on 03/04/2015 02:18:47 AM: > From: Akshik DBK <[email protected]> > To: OpenStack Development Mailing List not for usage questions > <[email protected]> > Date: 03/04/2015 02:25 AM > Subject: Re: [openstack-dev] Need help in configuring keystone > > Hi Marek, > > I tried with the auto-generated shibboleth2.xml, just added the > application override attribute, now im stuck with looping issue, > > when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/ > saml2/auth for the first time it is prompting for username and > password once provided it goes on loop. > > i could see session generated https://115.112.68.53:5000/ > Shibboleth.sso/Session > Miscellaneous > Client Address: 121.243.33.212 > Identity Provider: https://idp.testshib.org/idp/shibboleth > SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol > Authentication Time: 2015-03-04T06:44:41.625Z > Authentication Context Class: urn:oasis:names:tc:SAML:2. > 0:ac:classes:PasswordProtectedTransport > Authentication Context Decl: (none) > Session Expiration (barring inactivity): 479 minute(s) > > Attributes > affiliation: [email protected];[email protected] > entitlement: urn:mace:dir:entitlement:common-lib-terms > eppn: [email protected] > persistent-id: https://idp.testshib.org/idp/shibboleth!https://115. > 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM= > unscoped-affiliation: Member;Staff > here are my config files, > <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" > xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800"> > <ApplicationDefaults entityID="https://115.112.68.53/shibboleth"; > REMOTE_USER="eppn"> > <Sessions lifetime="28800" timeout="3600" > checkAddress="false" relayState="ss:mem" handlerSSL="true" > handlerSSL="true" cookieProps="; path=/; secure"> > > <SSO entityID="https://idp.testshib.org/idp/shibboleth";> > SAML2 SAML1 > </SSO> > > <Logout>SAML2 Local</Logout> > > <Handler type="MetadataGenerator" Location="/Metadata" > signing="false"/> > <Handler type="Status" Location="/Status"/> > <Handler type="Session" Location="/Session" > showAttributeValues="true"/> > <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> > </Sessions> > > <Errors supportContact="root@localhost" logoLocation="/ > shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/> > <MetadataProvider type="XML" uri="https://www.testshib.org/ > metadata/testshib-providers.xml" > backingFilePath="/tmp/testshib-two-idp-metadata.xml" > reloadInterval="180000" /> > <AttributeExtractor type="XML" validate="true" > path="attribute-map.xml"/> > <AttributeResolver type="Query" subjectMatch="true"/> > <AttributeFilter type="XML" validate="true" path="attribute- > policy.xml"/> > <CredentialResolver type="File" key="sp-key.pem" > certificate="sp-cert.pem"/> > <ApplicationOverride id="idp_2" entityID="https://115.112. > 68.53/shibboleth"> > <!--Sessions lifetime="28800" timeout="3600" checkAddress="false" > relayState="ss:mem" handlerSSL="false"--> > <Sessions lifetime="28800" timeout="3600" checkAddress="false" > relayState="ss:mem" handlerSSL="true" cookieProps="; > path=/; secure"> > > <!-- Triggers a login request directly to the TestShib IdP. --> > <SSO entityID="https://idp.testshib.org/idp/shibboleth"; > ECP="true"> > SAML2 SAML1 > </SSO> > <Logout>SAML2 Local</Logout> > </Sessions> > <MetadataProvider type="XML" uri="https:// > www.testshib.org/metadata/testshib-providers.xml" > backingFilePath="/tmp/testshib-two-idp-metadata.xml" > reloadInterval="180000" /> > </ApplicationOverride> > </ApplicationDefaults> > <SecurityPolicyProvider type="XML" validate="true" > path="security-policy.xml"/> > <ProtocolProvider type="XML" validate="true" > reloadChanges="false" path="protocols.xml"/> > </SPConfig> > > keystone-httpd > WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 threads=10 > #WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/ > protocols/.*?/auth)$ /var/www/keystone/main/$1 > WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/ > protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1 > > <VirtualHost *:5000> > LogLevel info > ErrorLog /var/log/keystone/keystone-apache-error.log > CustomLog /var/log/keystone/ssl_access.log combined > Options +FollowSymLinks > > SSLEngine on > #SSLCertificateFile /etc/ssl/certs/mycert.pem > #SSLCertificateKeyFile /etc/ssl/private/mycert.key > SSLCertificateFile /etc/apache2/ssl/server.crt > SSLCertificateKeyFile /etc/apache2/ssl/server.key > SSLVerifyClient optional > SSLVerifyDepth 10 > SSLProtocol all -SSLv2 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > SSLOptions +StdEnvVars +ExportCertData > > WSGIScriptAlias / /var/www/cgi-bin/keystone/main > WSGIProcessGroup keystone > </VirtualHost> > > <VirtualHost *:35357> > LogLevel info > ErrorLog /var/log/keystone/keystone-apache-error.log > CustomLog /var/log/keystone/ssl_access.log combined > Options +FollowSymLinks > > SSLEngine on > > SSLEngine on > #SSLCertificateFile /etc/ssl/certs/mycert.pem > #SSLCertificateKeyFile /etc/ssl/private/mycert.key > SSLCertificateFile /etc/apache2/ssl/server.crt > SSLCertificateKeyFile /etc/apache2/ssl/server.key > SSLVerifyClient optional > SSLVerifyDepth 10 > SSLProtocol all -SSLv2 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > SSLOptions +StdEnvVars +ExportCertData > > WSGIScriptAlias / /var/www/cgi-bin/keystone/admin > WSGIProcessGroup keystone > </VirtualHost> > > wsgi-keystone > WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main > WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin > > <Location "/keystone"> > # NSSRequireSSL > SSLRequireSSL > Authtype none > </Location> > > <Location /Shibboleth.sso> > # SetHandler shib > Require all granted > </Location> > > <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth> > ShibRequestSetting requireSession 1 > ShibRequestSetting applicationId idp_1 > AuthType shibboleth > ShibRequireAll On > ShibRequireSession On > ShibExportAssertion Off > Require valid-user > </Location> > > <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth> > ShibRequestSetting requireSession 1 > ShibRequestSetting applicationId idp_2 > AuthType shibboleth > ShibRequireAll On > ShibRequireSession On > ShibExportAssertion Off > Require valid-user > </Location> > > Regards, > Akshik > > > Date: Mon, 2 Mar 2015 12:03:18 +0100 > > From: [email protected] > > To: [email protected] > > Subject: Re: [openstack-dev] Need help in configuring keystone > > > > Akshik, > > > > When you are beginning an adventure with saml, shibboleth and so on, > > it's helpful to start with fetching auto-generated shibboleth2.xml file > > from testshib.org . This should cover most of your use-cases, at least > > in the testing environment. > > > > Marek > > > > > > > > __________________________________________________________________________ > > OpenStack Development Mailing List (not for usage questions) > > Unsubscribe: [email protected]?subject:unsubscribe > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
