Hi Steve,
here are the log details

==> /var/log/shibboleth/shibd.log <==2015-03-04 14:36:05 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:0.9.2342.19200300.100.1.12015-03-04 14:36:05 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.42015-03-04 14:36:05 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.32015-03-04 14:36:05 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.202015-03-04 14:36:05 INFO Shibboleth.SessionCache 
[2]: new session created: ID (_ee18a916d4e7e7adbc34f55c010695a4) IdP 
(https://idp.testshib.org/idp/shibboleth) 
Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212)
==> /var/log/keystone/keystone-apache-error.log <==[Wed Mar 04 14:36:05 2015] 
[info] Subsequent (No.8) HTTPS request received for child 7 (server 
10.1.193.250:5000)[Wed Mar 04 14:36:09 2015] [info] Subsequent (No.9) HTTPS 
request received for child 7 (server 10.1.193.250:5000)
==> /var/log/shibboleth/shibd.log <==2015-03-04 14:36:09 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:0.9.2342.19200300.100.1.12015-03-04 14:36:09 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.42015-03-04 14:36:09 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.32015-03-04 14:36:09 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.202015-03-04 14:36:09 INFO Shibboleth.SessionCache 
[2]: new session created: ID (_10d6c414a9f198b6601b5d4f36a9057a) IdP 
(https://idp.testshib.org/idp/shibboleth) 
Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212)
==> /var/log/keystone/keystone-apache-error.log <==[Wed Mar 04 14:36:09 2015] 
[info] Subsequent (No.10) HTTPS request received for child 7 (server 
10.1.193.250:5000)[Wed Mar 04 14:36:14 2015] [info] [client 121.243.33.212] 
(70007)The timeout specified has expired: SSL input filter read failed.[Wed Mar 
04 14:36:14 2015] [info] [client 121.243.33.212] Connection closed to child 7 
with standard shutdown (server 10.1.193.250:5000)

To: openstack-dev@lists.openstack.org
From: steve...@ca.ibm.com
Date: Wed, 4 Mar 2015 03:04:52 -0500
Subject: Re: [openstack-dev] Need help in configuring keystone

What do the keystone logs indicate?



Steve



Akshik DBK <aks...@outlook.com> wrote on 03/04/2015
02:18:47 AM:



> From: Akshik DBK <aks...@outlook.com>

> To: OpenStack Development Mailing List not for
usage questions 

> <openstack-dev@lists.openstack.org>

> Date: 03/04/2015 02:25 AM

> Subject: Re: [openstack-dev] Need help in configuring
keystone

> 

> Hi Marek,

> 

> I tried with the auto-generated shibboleth2.xml, just added the 

> application override attribute, now im stuck with looping issue,

> 

> when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/

> saml2/auth for the first time it is prompting for username and 

> password once provided it goes on loop.

> 

> i could see session generated https://115.112.68.53:5000/

> Shibboleth.sso/Session

> Miscellaneous

> Client Address: 121.243.33.212

> Identity Provider: https://idp.testshib.org/idp/shibboleth

> SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol

> Authentication Time: 2015-03-04T06:44:41.625Z

> Authentication Context Class: urn:oasis:names:tc:SAML:2.

> 0:ac:classes:PasswordProtectedTransport

> Authentication Context Decl: (none)

> Session Expiration (barring inactivity): 479 minute(s)

> 

> Attributes

> affiliation: mem...@testshib.org;st...@testshib.org

> entitlement: urn:mace:dir:entitlement:common-lib-terms

> eppn: mys...@testshib.org

> persistent-id: https://idp.testshib.org/idp/shibboleth!https://115.

> 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=

> unscoped-affiliation: Member;Staff

> here are my config files,

> <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"


> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"  clockSkew="1800">

>     <ApplicationDefaults entityID="https://115.112.68.53/shibboleth";

> REMOTE_USER="eppn">

>         <Sessions lifetime="28800"
timeout="3600" 

> checkAddress="false" relayState="ss:mem" handlerSSL="true"


> handlerSSL="true" cookieProps="; path=/; secure">

> 

>             <SSO entityID="https://idp.testshib.org/idp/shibboleth";>

>              
  SAML2 SAML1

>             </SSO>

> 

>             <Logout>SAML2 Local</Logout>

> 

>             <Handler type="MetadataGenerator"
Location="/Metadata" 

> signing="false"/>

>             <Handler
type="Status" Location="/Status"/>

>             <Handler
type="Session" Location="/Session" 

> showAttributeValues="true"/>

>             <Handler
type="DiscoveryFeed" Location="/DiscoFeed"/>

>         </Sessions>

> 

>         <Errors supportContact="root@localhost"
logoLocation="/

> shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>

>         <MetadataProvider
type="XML" uri="https://www.testshib.org/

> metadata/testshib-providers.xml"

>              backingFilePath="/tmp/testshib-two-idp-metadata.xml"

>              reloadInterval="180000"
/>

>         <AttributeExtractor
type="XML" validate="true" 

> path="attribute-map.xml"/>

>         <AttributeResolver
type="Query" subjectMatch="true"/>

>         <AttributeFilter
type="XML" validate="true" path="attribute-

> policy.xml"/>

>         <CredentialResolver
type="File" key="sp-key.pem" 

> certificate="sp-cert.pem"/>

>         <ApplicationOverride
id="idp_2" entityID="https://115.112.

> 68.53/shibboleth">

>            <!--Sessions
lifetime="28800" timeout="3600" checkAddress="false"

>            relayState="ss:mem"
handlerSSL="false"-->

>            <Sessions
lifetime="28800" timeout="3600" checkAddress="false"

>            relayState="ss:mem"
handlerSSL="true" cookieProps="; 

> path=/; secure">

> 

>             <!-- Triggers a login
request directly to the TestShib IdP. -->

>             <SSO
entityID="https://idp.testshib.org/idp/shibboleth";


> ECP="true">

>              
  SAML2 SAML1

>             </SSO>

>             <Logout>SAML2
Local</Logout>

>          </Sessions>

>             <MetadataProvider
type="XML" uri="https://

> www.testshib.org/metadata/testshib-providers.xml"

>              backingFilePath="/tmp/testshib-two-idp-metadata.xml"

>              reloadInterval="180000"
/>

>         </ApplicationOverride>

>     </ApplicationDefaults>

>     <SecurityPolicyProvider type="XML"
validate="true" 

> path="security-policy.xml"/>

>     <ProtocolProvider type="XML"
validate="true" 

> reloadChanges="false" path="protocols.xml"/>

> </SPConfig>

> 

> keystone-httpd

> WSGIDaemonProcess keystone user=keystone group=nogroup
processes=3 threads=10

> #WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/

> protocols/.*?/auth)$ /var/www/keystone/main/$1

> WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/

> protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1

> 

> <VirtualHost *:5000>

>     LogLevel  info

>     ErrorLog  /var/log/keystone/keystone-apache-error.log

>     CustomLog /var/log/keystone/ssl_access.log
combined

>     Options +FollowSymLinks

> 

>         SSLEngine on

>         #SSLCertificateFile
/etc/ssl/certs/mycert.pem

>         #SSLCertificateKeyFile
/etc/ssl/private/mycert.key

>         SSLCertificateFile
   /etc/apache2/ssl/server.crt

>         SSLCertificateKeyFile
/etc/apache2/ssl/server.key

>         SSLVerifyClient optional

>         SSLVerifyDepth 10

>         SSLProtocol all -SSLv2

>         SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

>         SSLOptions +StdEnvVars
+ExportCertData

> 

>     WSGIScriptAlias /  /var/www/cgi-bin/keystone/main

>     WSGIProcessGroup keystone

> </VirtualHost>

> 

> <VirtualHost *:35357>

>     LogLevel  info

>     ErrorLog  /var/log/keystone/keystone-apache-error.log

>     CustomLog /var/log/keystone/ssl_access.log
combined

>     Options +FollowSymLinks

> 

>         SSLEngine on

> 

>         SSLEngine on

>         #SSLCertificateFile
/etc/ssl/certs/mycert.pem

>         #SSLCertificateKeyFile
/etc/ssl/private/mycert.key

>         SSLCertificateFile
   /etc/apache2/ssl/server.crt

>         SSLCertificateKeyFile
/etc/apache2/ssl/server.key

>         SSLVerifyClient optional

>         SSLVerifyDepth 10

>         SSLProtocol all -SSLv2

>         SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

>         SSLOptions +StdEnvVars
+ExportCertData

> 

>     WSGIScriptAlias / /var/www/cgi-bin/keystone/admin

>     WSGIProcessGroup keystone

> </VirtualHost>

> 

> wsgi-keystone

> WSGIScriptAlias /keystone/main  /var/www/cgi-bin/keystone/main

> WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin

> 

> <Location "/keystone">

> # NSSRequireSSL

> SSLRequireSSL

> Authtype none

> </Location>

> 

> <Location /Shibboleth.sso>

> #    SetHandler shib

>     Require all granted

> </Location>

> 

> <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>

>     ShibRequestSetting requireSession
1

>     ShibRequestSetting applicationId
idp_1

>     AuthType shibboleth

>     ShibRequireAll On

>     ShibRequireSession On

>     ShibExportAssertion Off

>     Require valid-user

> </Location>

> 

> <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>

>     ShibRequestSetting requireSession
1

>     ShibRequestSetting applicationId
idp_2

>     AuthType shibboleth

>     ShibRequireAll On

>     ShibRequireSession On

>     ShibExportAssertion Off

>     Require valid-user

> </Location>

> 

> Regards,

> Akshik

> 

> > Date: Mon, 2 Mar 2015 12:03:18 +0100

> > From: marek.de...@cern.ch

> > To: openstack-dev@lists.openstack.org

> > Subject: Re: [openstack-dev] Need help in configuring keystone

> > 

> > Akshik,

> > 

> > When you are beginning an adventure with saml, shibboleth and
so on, 

> > it's helpful to start with fetching auto-generated shibboleth2.xml
file 

> > from testshib.org . This should cover most of your use-cases,
at least 

> > in the testing environment.

> > 

> > Marek

> > 

> > 

> > 

> > __________________________________________________________________________

> > OpenStack Development Mailing List (not for usage questions)

> > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

> __________________________________________________________________________

> OpenStack Development Mailing List (not for usage questions)

> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev               
                          
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to