What do the keystone logs indicate?

Steve

Akshik DBK <aks...@outlook.com> wrote on 03/04/2015 02:18:47 AM:

> From: Akshik DBK <aks...@outlook.com>
> To: OpenStack Development Mailing List not for usage questions 
> <openstack-dev@lists.openstack.org>
> Date: 03/04/2015 02:25 AM
> Subject: Re: [openstack-dev] Need help in configuring keystone
> 
> Hi Marek,
> 
> I tried with the auto-generated shibboleth2.xml, just added the 
> application override attribute, now im stuck with looping issue,
> 
> when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/
> saml2/auth for the first time it is prompting for username and 
> password once provided it goes on loop.
> 
> i could see session generated https://115.112.68.53:5000/
> Shibboleth.sso/Session
> Miscellaneous
> Client Address: 121.243.33.212
> Identity Provider: https://idp.testshib.org/idp/shibboleth
> SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Authentication Time: 2015-03-04T06:44:41.625Z
> Authentication Context Class: urn:oasis:names:tc:SAML:2.
> 0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
> Session Expiration (barring inactivity): 479 minute(s)
> 
> Attributes
> affiliation: mem...@testshib.org;st...@testshib.org
> entitlement: urn:mace:dir:entitlement:common-lib-terms
> eppn: mys...@testshib.org
> persistent-id: https://idp.testshib.org/idp/shibboleth!https://115.
> 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=
> unscoped-affiliation: Member;Staff
> here are my config files,
> <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" 
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  clockSkew="1800">
>     <ApplicationDefaults entityID="https://115.112.68.53/shibboleth";
> REMOTE_USER="eppn">
>         <Sessions lifetime="28800" timeout="3600" 
> checkAddress="false" relayState="ss:mem" handlerSSL="true" 
> handlerSSL="true" cookieProps="; path=/; secure">
> 
>             <SSO entityID="https://idp.testshib.org/idp/shibboleth";>
>                 SAML2 SAML1
>             </SSO>
> 
>             <Logout>SAML2 Local</Logout>
> 
>             <Handler type="MetadataGenerator" Location="/Metadata" 
> signing="false"/>
>             <Handler type="Status" Location="/Status"/>
>             <Handler type="Session" Location="/Session" 
> showAttributeValues="true"/>
>             <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
>         </Sessions>
> 
>         <Errors supportContact="root@localhost" logoLocation="/
> shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
>         <MetadataProvider type="XML" uri="https://www.testshib.org/
> metadata/testshib-providers.xml"
>              backingFilePath="/tmp/testshib-two-idp-metadata.xml"
>              reloadInterval="180000" />
>         <AttributeExtractor type="XML" validate="true" 
> path="attribute-map.xml"/>
>         <AttributeResolver type="Query" subjectMatch="true"/>
>         <AttributeFilter type="XML" validate="true" path="attribute-
> policy.xml"/>
>         <CredentialResolver type="File" key="sp-key.pem" 
> certificate="sp-cert.pem"/>
>         <ApplicationOverride id="idp_2" entityID="https://115.112.
> 68.53/shibboleth">
>            <!--Sessions lifetime="28800" timeout="3600" 
checkAddress="false"
>            relayState="ss:mem" handlerSSL="false"-->
>            <Sessions lifetime="28800" timeout="3600" 
checkAddress="false"
>            relayState="ss:mem" handlerSSL="true" cookieProps="; 
> path=/; secure">
> 
>             <!-- Triggers a login request directly to the TestShib IdP. 
-->
>             <SSO entityID="https://idp.testshib.org/idp/shibboleth"; 
> ECP="true">
>                 SAML2 SAML1
>             </SSO>
>             <Logout>SAML2 Local</Logout>
>          </Sessions>
>             <MetadataProvider type="XML" uri="https://
> www.testshib.org/metadata/testshib-providers.xml"
>              backingFilePath="/tmp/testshib-two-idp-metadata.xml"
>              reloadInterval="180000" />
>         </ApplicationOverride>
>     </ApplicationDefaults>
>     <SecurityPolicyProvider type="XML" validate="true" 
> path="security-policy.xml"/>
>     <ProtocolProvider type="XML" validate="true" 
> reloadChanges="false" path="protocols.xml"/>
> </SPConfig>
> 
> keystone-httpd
> WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 
threads=10
> #WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/
> protocols/.*?/auth)$ /var/www/keystone/main/$1
> WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/
> protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
> 
> <VirtualHost *:5000>
>     LogLevel  info
>     ErrorLog  /var/log/keystone/keystone-apache-error.log
>     CustomLog /var/log/keystone/ssl_access.log combined
>     Options +FollowSymLinks
> 
>         SSLEngine on
>         #SSLCertificateFile /etc/ssl/certs/mycert.pem
>         #SSLCertificateKeyFile /etc/ssl/private/mycert.key
>         SSLCertificateFile    /etc/apache2/ssl/server.crt
>         SSLCertificateKeyFile /etc/apache2/ssl/server.key
>         SSLVerifyClient optional
>         SSLVerifyDepth 10
>         SSLProtocol all -SSLv2
>         SSLCipherSuite 
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>         SSLOptions +StdEnvVars +ExportCertData
> 
>     WSGIScriptAlias /  /var/www/cgi-bin/keystone/main
>     WSGIProcessGroup keystone
> </VirtualHost>
> 
> <VirtualHost *:35357>
>     LogLevel  info
>     ErrorLog  /var/log/keystone/keystone-apache-error.log
>     CustomLog /var/log/keystone/ssl_access.log combined
>     Options +FollowSymLinks
> 
>         SSLEngine on
> 
>         SSLEngine on
>         #SSLCertificateFile /etc/ssl/certs/mycert.pem
>         #SSLCertificateKeyFile /etc/ssl/private/mycert.key
>         SSLCertificateFile    /etc/apache2/ssl/server.crt
>         SSLCertificateKeyFile /etc/apache2/ssl/server.key
>         SSLVerifyClient optional
>         SSLVerifyDepth 10
>         SSLProtocol all -SSLv2
>         SSLCipherSuite 
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>         SSLOptions +StdEnvVars +ExportCertData
> 
>     WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
>     WSGIProcessGroup keystone
> </VirtualHost>
> 
> wsgi-keystone
> WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main
> WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
> 
> <Location "/keystone">
> # NSSRequireSSL
> SSLRequireSSL
> Authtype none
> </Location>
> 
> <Location /Shibboleth.sso>
> #    SetHandler shib
>     Require all granted
> </Location>
> 
> <Location 
/v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
>     ShibRequestSetting requireSession 1
>     ShibRequestSetting applicationId idp_1
>     AuthType shibboleth
>     ShibRequireAll On
>     ShibRequireSession On
>     ShibExportAssertion Off
>     Require valid-user
> </Location>
> 
> <Location 
/v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
>     ShibRequestSetting requireSession 1
>     ShibRequestSetting applicationId idp_2
>     AuthType shibboleth
>     ShibRequireAll On
>     ShibRequireSession On
>     ShibExportAssertion Off
>     Require valid-user
> </Location>
> 
> Regards,
> Akshik
> 
> > Date: Mon, 2 Mar 2015 12:03:18 +0100
> > From: marek.de...@cern.ch
> > To: openstack-dev@lists.openstack.org
> > Subject: Re: [openstack-dev] Need help in configuring keystone
> > 
> > Akshik,
> > 
> > When you are beginning an adventure with saml, shibboleth and so on, 
> > it's helpful to start with fetching auto-generated shibboleth2.xml 
file 
> > from testshib.org . This should cover most of your use-cases, at least 

> > in the testing environment.
> > 
> > Marek
> > 
> > 
> > 
> > 
__________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
__________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to