Hi I still have problem to connect Keystone with Shibboleth. >From [1], I have seen that in keystone.conf, I must put the next line
idp_sso_endpoint=https://keystone.example.com/v3/OS-FEDERATION/saml2/sso But I cannot retrieve this URL with a 'wget' (404 error), moreover, the code in keystone [2] doesn't contain a route to that URI. Is it normal ? Does someone can give me the right parameter in keystone.conf ? Cheers, [1] http://docs.openstack.org/developer/keystone/configure_federation.html#keystone-as-an-identity-provider-idp [2] https://github.com/openstack/keystone/blob/stable/liberty/keystone/contrib/federation/routers.py -- Thomas Duval [email protected] ________________________________________ De : [email protected] [[email protected]] Envoyé : mardi 1 mars 2016 17:09 À : Marek Denis; [email protected] Objet : Re: [Openstack] Keystone and identity federation Thanks Marek for your answer. I tried to use HTTPS, I also deleted the <ApplicationOverride> and I change all IP addresses into FQDN (by setting them into the /etc/hosts file) but with no luck. The problem is on the SP server because there is no data transmitted to the IdP server. In the SP server, when I try to retrieve the data from http://idp.loc:5000/idp/Shibboleth.sso/Metadata, the IDP gives me : <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="_3c5b6e319dcd12ca1e91dfba9e4e4c22a8190c1c" entityID="https://idp.loc:5000/shibboleth";> <md:Extensions xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport"> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha384"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <alg:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#sha224"/> <alg:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha224"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha384"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/> <alg:SigningMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <alg:SigningMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> </md:Extensions> <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:1.0:protocol"> <md:Extensions> <init:RequestInitiator xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://idp.loc:5000/Shibboleth.sso/Login"/> <idpdisc:DiscoveryResponse xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" Location="https://idp.loc:5000/Shibboleth.sso/Login"; index="1"/> </md:Extensions> <md:KeyDescriptor> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:KeyName>idp</ds:KeyName> <ds:X509Data> <ds:X509SubjectName>CN=idp</ds:X509SubjectName> <ds:X509Certificate>MIIC0DCCAbigAwIBAgIJAMzXtBlkSc6lMA0GCSqGSIb3DQEBBQUAMA4xDDAKBgNV BAMTA2lkcDAeFw0xNjAyMjYwOTA5MjhaFw0yNjAyMjMwOTA5MjhaMA4xDDAKBgNV BAMTA2lkcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSydej0wXBp SzDetOyyl3M............ TRUNCATED ......................K7YxQwV2+B/OjCSfZmjKpvv434xZEvEH8v sTmT+W24NCa12W+3OclfnD1SXxsqx3/NlKFXhGV+CT3F/94fo1PEACsfIworftF3 JMfHLw== </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes192-gcm"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes256-gcm"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#rsa-oaep"/> <md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> </md:KeyDescriptor> <md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.loc:5000/Shibboleth.sso/Artifact/SOAP"; index="1"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://idp.loc:5000/Shibboleth.sso/SLO/SOAP"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.loc:5000/Shibboleth.sso/SLO/Redirect"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.loc:5000/Shibboleth.sso/SLO/POST"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idp.loc:5000/Shibboleth.sso/SLO/Artifact"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.loc:5000/Shibboleth.sso/SAML2/POST"; index="1"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://idp.loc:5000/Shibboleth.sso/SAML2/POST-SimpleSign"; index="2"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://idp.loc:5000/Shibboleth.sso/SAML2/Artifact"; index="3"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://idp.loc:5000/Shibboleth.sso/SAML2/ECP"; index="4"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post" Location="https://idp.loc:5000/Shibboleth.sso/SAML/POST"; index="5"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01" Location="https://idp.loc:5000/Shibboleth.sso/SAML/Artifact"; index="6"/> </md:SPSSODescriptor> </md:EntityDescriptor> -- Thomas De : Marek Denis [[email protected]] Envoyé : mardi 1 mars 2016 16:26 À : [email protected] Objet : Re: [Openstack] Keystone and identity federation Hi, On 01.03.2016 10:31, [email protected] wrote: <!-- p {margin-top:0; margin-bottom:0} --> BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;} Hello Everybody, I try to configure identity federation between 2 Keystones and I have some difficulties. I mainly followed this guide http://docs.openstack.org/developer/keystone/configure_federation.html and when I want to test the federated authentication on the Service Provider (GET /v3/OS-FEDERATION/identity_providers/master/protocols/saml2/auth), I have the following response : Error 500 Unable to locate metadata for identity provider <http://idp/idp/shibboleth> The only error in keystone.log is: Unable to locate metadata for identity provider (http://idp/idp/shibboleth) I have the following warning in shibd.log: WARN Shibboleth.SessionInitiator.SAML2 [1]: unable to locate metadata for provider (http://idp/idp/shibboleth) Here is the configuration of Shibboleth: <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <ApplicationDefaults entityID="http://sp/shibboleth";> <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" checkAddress="false" handlerSSL="false" cookieProps="http"> <SSO entityID="http://idp/idp/shibboleth"; ECP="true"> SAML2 SAML1 </SSO> <Logout>SAML2 Local</Logout> <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> <Handler type="Session" Location="/Session" showAttributeValues="false"/> <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> </Sessions> <Errors supportContact="root@localhost" helpLocation="/about.html" styleSheet="/shibboleth-sp/main.css"/> <MetadataProvider type="XML" uri="http://192.168.52.10/Shibboleth.sso/Metadata"; backingFilePath="/var/cache/shibboleth/idp.xml" reloadInterval="7200"> </MetadataProvider> What if you try to set IdP FQDN here instead of IP address? Something like http://idp/idp/Shibboleth.sso/Metadata Also, make sure that this URI is reachable for your Service Provider <MetadataProvider type="XML" file="IDP.xml"/> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <AttributeResolver type="Query" subjectMatch="true"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/> <ApplicationOverride id="master" entityID="http://idp/shibboleth";> <Sessions lifetime="28800" timeout="3600" checkAddress="false" relayState="ss:mem" handlerSSL="false"> <SSO entityID="https://idp/idp/shibboleth"; ECP="true"> SAML2 SAML1 </SSO> <Logout>SAML2 Local</Logout> </Sessions> <MetadataProvider type="XML" uri="http://192.168.52.10/Shibboleth.sso/Metadata"; backingFilePath="/var/cache/shibboleth/idp.xml" reloadInterval="180000" /> </ApplicationOverride> I m not sure if you need this <ApplicationOverride> object. </ApplicationDefaults> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> </SPConfig> The http://192.168.52.10/Shibboleth.sso/Metadata url is working and give me the metadata of the Identity Provider. The file IDP.xml was retrieve from the same URL and put in the directory /etc/shibboleth. Both OpenStack servers was installed from DevStack (branch stable/liberty) on Ubuntu trusty. Does someone face the same problem? Cheers. -- Thomas _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -- Marek Denis [[email protected]] _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
