Re: [openstack-dev] Need help in configuring keystone

2015-03-04 Thread Steve Martinelli
What do the keystone logs indicate?

Steve

Akshik DBK aks...@outlook.com wrote on 03/04/2015 02:18:47 AM:

 From: Akshik DBK aks...@outlook.com
 To: OpenStack Development Mailing List not for usage questions 
 openstack-dev@lists.openstack.org
 Date: 03/04/2015 02:25 AM
 Subject: Re: [openstack-dev] Need help in configuring keystone
 
 Hi Marek,
 
 I tried with the auto-generated shibboleth2.xml, just added the 
 application override attribute, now im stuck with looping issue,
 
 when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/
 saml2/auth for the first time it is prompting for username and 
 password once provided it goes on loop.
 
 i could see session generated https://115.112.68.53:5000/
 Shibboleth.sso/Session
 Miscellaneous
 Client Address: 121.243.33.212
 Identity Provider: https://idp.testshib.org/idp/shibboleth
 SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
 Authentication Time: 2015-03-04T06:44:41.625Z
 Authentication Context Class: urn:oasis:names:tc:SAML:2.
 0:ac:classes:PasswordProtectedTransport
 Authentication Context Decl: (none)
 Session Expiration (barring inactivity): 479 minute(s)
 
 Attributes
 affiliation: mem...@testshib.org;st...@testshib.org
 entitlement: urn:mace:dir:entitlement:common-lib-terms
 eppn: mys...@testshib.org
 persistent-id: https://idp.testshib.org/idp/shibboleth!https://115.
 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=
 unscoped-affiliation: Member;Staff
 here are my config files,
 SPConfig xmlns=urn:mace:shibboleth:2.0:native:sp:config 
 xmlns:md=urn:oasis:names:tc:SAML:2.0:metadata  clockSkew=1800
 ApplicationDefaults entityID=https://115.112.68.53/shibboleth;
 REMOTE_USER=eppn
 Sessions lifetime=28800 timeout=3600 
 checkAddress=false relayState=ss:mem handlerSSL=true 
 handlerSSL=true cookieProps=; path=/; secure
 
 SSO entityID=https://idp.testshib.org/idp/shibboleth;
 SAML2 SAML1
 /SSO
 
 LogoutSAML2 Local/Logout
 
 Handler type=MetadataGenerator Location=/Metadata 
 signing=false/
 Handler type=Status Location=/Status/
 Handler type=Session Location=/Session 
 showAttributeValues=true/
 Handler type=DiscoveryFeed Location=/DiscoFeed/
 /Sessions
 
 Errors supportContact=root@localhost logoLocation=/
 shibboleth-sp/logo.jpg styleSheet=/shibboleth-sp/main.css/
 MetadataProvider type=XML uri=https://www.testshib.org/
 metadata/testshib-providers.xml
  backingFilePath=/tmp/testshib-two-idp-metadata.xml
  reloadInterval=18 /
 AttributeExtractor type=XML validate=true 
 path=attribute-map.xml/
 AttributeResolver type=Query subjectMatch=true/
 AttributeFilter type=XML validate=true path=attribute-
 policy.xml/
 CredentialResolver type=File key=sp-key.pem 
 certificate=sp-cert.pem/
 ApplicationOverride id=idp_2 entityID=https://115.112.
 68.53/shibboleth
!--Sessions lifetime=28800 timeout=3600 
checkAddress=false
relayState=ss:mem handlerSSL=false--
Sessions lifetime=28800 timeout=3600 
checkAddress=false
relayState=ss:mem handlerSSL=true cookieProps=; 
 path=/; secure
 
 !-- Triggers a login request directly to the TestShib IdP. 
--
 SSO entityID=https://idp.testshib.org/idp/shibboleth; 
 ECP=true
 SAML2 SAML1
 /SSO
 LogoutSAML2 Local/Logout
  /Sessions
 MetadataProvider type=XML uri=https://
 www.testshib.org/metadata/testshib-providers.xml
  backingFilePath=/tmp/testshib-two-idp-metadata.xml
  reloadInterval=18 /
 /ApplicationOverride
 /ApplicationDefaults
 SecurityPolicyProvider type=XML validate=true 
 path=security-policy.xml/
 ProtocolProvider type=XML validate=true 
 reloadChanges=false path=protocols.xml/
 /SPConfig
 
 keystone-httpd
 WSGIDaemonProcess keystone user=keystone group=nogroup processes=3 
threads=10
 #WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/
 protocols/.*?/auth)$ /var/www/keystone/main/$1
 WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/
 protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
 
 VirtualHost *:5000
 LogLevel  info
 ErrorLog  /var/log/keystone/keystone-apache-error.log
 CustomLog /var/log/keystone/ssl_access.log combined
 Options +FollowSymLinks
 
 SSLEngine on
 #SSLCertificateFile /etc/ssl/certs/mycert.pem
 #SSLCertificateKeyFile /etc/ssl/private/mycert.key
 SSLCertificateFile/etc/apache2/ssl/server.crt
 SSLCertificateKeyFile /etc/apache2/ssl/server.key
 SSLVerifyClient optional
 SSLVerifyDepth 10
 SSLProtocol all -SSLv2
 SSLCipherSuite 
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
 SSLOptions +StdEnvVars +ExportCertData
 
 WSGIScriptAlias /  /var/www/cgi-bin/keystone/main

Re: [openstack-dev] Need help in configuring keystone

2015-03-04 Thread Akshik DBK
Hi Steve,
here are the log details

== /var/log/shibboleth/shibd.log ==2015-03-04 14:36:05 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:0.9.2342.19200300.100.1.12015-03-04 14:36:05 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.42015-03-04 14:36:05 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.32015-03-04 14:36:05 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.202015-03-04 14:36:05 INFO Shibboleth.SessionCache 
[2]: new session created: ID (_ee18a916d4e7e7adbc34f55c010695a4) IdP 
(https://idp.testshib.org/idp/shibboleth) 
Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212)
== /var/log/keystone/keystone-apache-error.log ==[Wed Mar 04 14:36:05 2015] 
[info] Subsequent (No.8) HTTPS request received for child 7 (server 
10.1.193.250:5000)[Wed Mar 04 14:36:09 2015] [info] Subsequent (No.9) HTTPS 
request received for child 7 (server 10.1.193.250:5000)
== /var/log/shibboleth/shibd.log ==2015-03-04 14:36:09 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:0.9.2342.19200300.100.1.12015-03-04 14:36:09 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.42015-03-04 14:36:09 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.32015-03-04 14:36:09 INFO 
Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute 
with Name: urn:oid:2.5.4.202015-03-04 14:36:09 INFO Shibboleth.SessionCache 
[2]: new session created: ID (_10d6c414a9f198b6601b5d4f36a9057a) IdP 
(https://idp.testshib.org/idp/shibboleth) 
Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212)
== /var/log/keystone/keystone-apache-error.log ==[Wed Mar 04 14:36:09 2015] 
[info] Subsequent (No.10) HTTPS request received for child 7 (server 
10.1.193.250:5000)[Wed Mar 04 14:36:14 2015] [info] [client 121.243.33.212] 
(70007)The timeout specified has expired: SSL input filter read failed.[Wed Mar 
04 14:36:14 2015] [info] [client 121.243.33.212] Connection closed to child 7 
with standard shutdown (server 10.1.193.250:5000)

To: openstack-dev@lists.openstack.org
From: steve...@ca.ibm.com
Date: Wed, 4 Mar 2015 03:04:52 -0500
Subject: Re: [openstack-dev] Need help in configuring keystone

What do the keystone logs indicate?



Steve



Akshik DBK aks...@outlook.com wrote on 03/04/2015
02:18:47 AM:



 From: Akshik DBK aks...@outlook.com

 To: OpenStack Development Mailing List not for
usage questions 

 openstack-dev@lists.openstack.org

 Date: 03/04/2015 02:25 AM

 Subject: Re: [openstack-dev] Need help in configuring
keystone

 

 Hi Marek,

 

 I tried with the auto-generated shibboleth2.xml, just added the 

 application override attribute, now im stuck with looping issue,

 

 when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/

 saml2/auth for the first time it is prompting for username and 

 password once provided it goes on loop.

 

 i could see session generated https://115.112.68.53:5000/

 Shibboleth.sso/Session

 Miscellaneous

 Client Address: 121.243.33.212

 Identity Provider: https://idp.testshib.org/idp/shibboleth

 SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol

 Authentication Time: 2015-03-04T06:44:41.625Z

 Authentication Context Class: urn:oasis:names:tc:SAML:2.

 0:ac:classes:PasswordProtectedTransport

 Authentication Context Decl: (none)

 Session Expiration (barring inactivity): 479 minute(s)

 

 Attributes

 affiliation: mem...@testshib.org;st...@testshib.org

 entitlement: urn:mace:dir:entitlement:common-lib-terms

 eppn: mys...@testshib.org

 persistent-id: https://idp.testshib.org/idp/shibboleth!https://115.

 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=

 unscoped-affiliation: Member;Staff

 here are my config files,

 SPConfig xmlns=urn:mace:shibboleth:2.0:native:sp:config


 xmlns:md=urn:oasis:names:tc:SAML:2.0:metadata  clockSkew=1800

 ApplicationDefaults entityID=https://115.112.68.53/shibboleth;

 REMOTE_USER=eppn

 Sessions lifetime=28800
timeout=3600 

 checkAddress=false relayState=ss:mem handlerSSL=true


 handlerSSL=true cookieProps=; path=/; secure

 

 SSO entityID=https://idp.testshib.org/idp/shibboleth;

  
  SAML2 SAML1

 /SSO

 

 LogoutSAML2 Local/Logout

 

 Handler type=MetadataGenerator
Location=/Metadata 

 signing=false/

 Handler
type=Status Location=/Status/

 Handler
type=Session Location=/Session 

 showAttributeValues=true/

 Handler
type=DiscoveryFeed Location=/DiscoFeed/

 /Sessions

 

 Errors supportContact=root@localhost
logoLocation=/

 shibboleth-sp/logo.jpg styleSheet=/shibboleth-sp/main.css

Re: [openstack-dev] Need help in configuring keystone

2015-03-03 Thread Akshik DBK
SSLVerifyClient optional
SSLVerifyDepth 10SSLProtocol all -SSLv2SSLCipherSuite 
ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOWSSLOptions 
+StdEnvVars +ExportCertData
WSGIScriptAlias / /var/www/cgi-bin/keystone/adminWSGIProcessGroup 
keystone/VirtualHost
wsgi-keystoneWSGIScriptAlias /keystone/main  
/var/www/cgi-bin/keystone/mainWSGIScriptAlias /keystone/admin  
/var/www/cgi-bin/keystone/admin
Location /keystone# NSSRequireSSLSSLRequireSSLAuthtype none/Location
Location /Shibboleth.sso#SetHandler shibRequire all granted/Location
Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth
ShibRequestSetting requireSession 1ShibRequestSetting applicationId idp_1   
 AuthType shibbolethShibRequireAll OnShibRequireSession On
ShibExportAssertion OffRequire valid-user/Location
Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth
ShibRequestSetting requireSession 1ShibRequestSetting applicationId idp_2   
 AuthType shibbolethShibRequireAll OnShibRequireSession On
ShibExportAssertion OffRequire valid-user/Location
Regards,Akshik
 Date: Mon, 2 Mar 2015 12:03:18 +0100
 From: marek.de...@cern.ch
 To: openstack-dev@lists.openstack.org
 Subject: Re: [openstack-dev] Need help in configuring keystone
 
 Akshik,
 
 When you are beginning an adventure with saml, shibboleth and so on, 
 it's helpful to start with fetching auto-generated shibboleth2.xml file 
 from testshib.org . This should cover most of your use-cases, at least 
 in the testing environment.
 
 Marek
 
 
 
 __
 OpenStack Development Mailing List (not for usage questions)
 Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
  __
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] Need help in configuring keystone

2015-03-02 Thread Fargetta Marco
Hi Akshik, 

if you look at the log you find these lines: 

2015-02-27 22:36:38 CRIT Shibboleth.Application : no MetadataProvider 
available, configuration is probably unusable
2015-02-27 22:36:38 INFO Shibboleth.Application : no TrustEngine specified or 
installed, using default chain {ExplicitKey, PKIX}
2015-02-27 22:36:38 INFO Shibboleth.Application : building AttributeExtractor 
of type XML... 

It seems there is a problem with your shibboleth2.xml. Check it against a 
working one or try to increase the log verbosity to 
figure out the problem. 

Marco 

 From: Akshik DBK aks...@outlook.com
 To: OpenStack Development Mailing List not for usage questions
 openstack-dev@lists.openstack.org
 Sent: Saturday, 28 February, 2015 17:05:23
 Subject: Re: [openstack-dev] Need help in configuring keystone

 Hi Marco,
 did you get a chance to look at the logs,

 Regards,
 Akshik

 From: aks...@outlook.com
 To: openstack-dev@lists.openstack.org
 Date: Fri, 27 Feb 2015 22:50:47 +0530
 Subject: Re: [openstack-dev] Need help in configuring keystone

 Hi Marco,
 Thanks for responding, Ive cleared the log file and have restarted the shibd
 service.

 the metadata file got created, i've attached the log file and metadata file as
 well.

 Regards,
 Akshik

 Date: Fri, 27 Feb 2015 15:12:39 +0100
 From: marco.farge...@ct.infn.it
 To: openstack-dev@lists.openstack.org
 Subject: Re: [openstack-dev] Need help in configuring keystone

 Hi Akshik,

 the metadata error is in your SP, if the error was on testshib you
 should not be redirected back after the login. Maybe there is a configuration
 problem with shibboleth. Try to restart the service and look at shibboleth 
 logs.
 Check also the metadata of testshib are downloaded correctly because from the
 error
 it seems you have not the metadata of testshib.

 Cheers,
 Marco

 On Fri, Feb 27, 2015 at 06:39:30PM +0530, Akshik DBK wrote:
  Hi Marek ,
 I've registered with testshib, this is my keystone-apache-error.log log i get
 [error] [client 121.243.33.212] No MetadataProvider available., referer:
  https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
  From: aks...@outlook.com
  To: openstack-dev@lists.openstack.org
  Date: Fri, 27 Feb 2015 15:56:57 +0530
  Subject: [openstack-dev] Need help in configuring keystone




 Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu
 12.04 with Icehouse,im following http://docs.openstack.org/developer/k...when
 im trying to configure keystone with two idp,when i access
 https://MYSERVER:5000/v3/OS-FEDERATIO...it gets redirected to testshib.org , 
 it
 prompts for username and password when the same is given im
 gettingshibsp::ConfigurationException at (
 https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.here
 is my shibboleth2.xml contentSPConfig
  xmlns=urn:mace:shibboleth:2.0:native:sp:config
  xmlns:conf=urn:mace:shibboleth:2.0:native:sp:config
  xmlns:saml=urn:oasis:names:tc:SAML:2.0:assertion
  xmlns:samlp=urn:oasis:names:tc:SAML:2.0:protocol
  xmlns:md=urn:oasis:names:tc:SAML:2.0:metadata
  clockSkew=180

  ApplicationDefaults entityID=https://MYSERVER:5000/Shibboleth;
 Sessions lifetime=28800 timeout=3600 checkAddress=false
  relayState=ss:mem handlerSSL=false
  SSO entityID= https://idp.testshib.org/idp/shibboleth  
  ECP=true
  SAML2 SAML1
  /SSO

  LogoutSAML2 Local/Logout

  Handler type=MetadataGenerator Location=/Metadata 
  signing=false/
  Handler type=Status Location=/Status /
  Handler type=Session Location=/Session 
  showAttributeValues=false/
  Handler type=DiscoveryFeed Location=/DiscoFeed/
  /Sessions

  Errors supportContact=root@localhost
  logoLocation=/shibboleth-sp/logo.jpg
  styleSheet=/shibboleth-sp/main.css/

  AttributeExtractor type=XML validate=true 
  path=attribute-map.xml/
  AttributeResolver type=Query subjectMatch=true/
  AttributeFilter type=XML validate=true 
  path=attribute-policy.xml/
  CredentialResolver type=File key=sp-key.pem 
  certificate=sp-cert.pem/

  ApplicationOverride id=idp_1 
  entityID=https://MYSERVER:5000/Shibboleth;

  Sessions lifetime=28800 timeout=3600 checkAddress=false
  relayState=ss:mem handlerSSL=false
  SSO entityID= 
  https://portal4.mss.internalidp.com/idp/shibboleth  ECP=true
  SAML2 SAML1
  /SSO
  LogoutSAML2 Local/Logout
  /Sessions

 MetadataProvider type=XML uri=
  https://portal4.mss.internalidp.com/idp/shibboleth 
   backingFilePath=/tmp/tata.xml reloadInterval=18 /
  /ApplicationOverride

  ApplicationOverride id=idp_2 
  entityID=https://MYSERVER:5000/Shibboleth;
  Sessions lifetime=28800 timeout=3600 checkAddress=false

Re: [openstack-dev] Need help in configuring keystone

2015-03-02 Thread Marek Denis

Akshik,

When you are beginning an adventure with saml, shibboleth and so on, 
it's helpful to start with fetching auto-generated shibboleth2.xml file 
from testshib.org . This should cover most of your use-cases, at least 
in the testing environment.


Marek



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] Need help in configuring keystone

2015-02-28 Thread Akshik DBK



Hi Marco, did you get a chance to look at the logs,
Regards,Akshik

From: aks...@outlook.com
To: openstack-dev@lists.openstack.org
Date: Fri, 27 Feb 2015 22:50:47 +0530
Subject: Re: [openstack-dev] Need help in configuring keystone




Hi Marco,
Thanks for responding, Ive cleared the log file and have restarted the shibd 
service.
the metadata file got created, i've attached the log file and metadata file as 
well.
Regards,Akshik

Date: Fri, 27 Feb 2015 15:12:39 +0100
From: marco.farge...@ct.infn.it
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] Need help in configuring keystone

Hi Akshik,
 
the metadata error is in your SP, if the error was on testshib you
should not be redirected back after the login. Maybe there is a configuration
problem with shibboleth. Try to restart the service and look at shibboleth logs.
Check also the metadata of testshib are downloaded correctly because from the 
error
it seems you have not the metadata of testshib.
 
Cheers,
Marco
 
On Fri, Feb 27, 2015 at 06:39:30PM +0530, Akshik DBK wrote:
 Hi Marek ,
 I've registered with testshib, this is my keystone-apache-error.log log i get 
 [error] [client 121.243.33.212] No MetadataProvider available., referer: 
 https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
 From: aks...@outlook.com
 To: openstack-dev@lists.openstack.org
 Date: Fri, 27 Feb 2015 15:56:57 +0530
 Subject: [openstack-dev] Need help in configuring keystone
 
 
 
 
 Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu 
 12.04 with Icehouse,im following http://docs.openstack.org/developer/k...when 
 im trying to configure keystone with two idp,when i access 
 https://MYSERVER:5000/v3/OS-FEDERATIO...it gets redirected to testshib.org , 
 it prompts for username and password when the same is given im 
 gettingshibsp::ConfigurationException at ( 
 https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.here 
 is my shibboleth2.xml contentSPConfig 
 xmlns=urn:mace:shibboleth:2.0:native:sp:config
 xmlns:conf=urn:mace:shibboleth:2.0:native:sp:config
 xmlns:saml=urn:oasis:names:tc:SAML:2.0:assertion
 xmlns:samlp=urn:oasis:names:tc:SAML:2.0:protocol
 xmlns:md=urn:oasis:names:tc:SAML:2.0:metadata
 clockSkew=180
 
 ApplicationDefaults entityID=https://MYSERVER:5000/Shibboleth;
 Sessions lifetime=28800 timeout=3600 checkAddress=false 
 relayState=ss:mem handlerSSL=false
 SSO entityID=https://idp.testshib.org/idp/shibboleth; 
 ECP=true
 SAML2 SAML1
 /SSO
 
 LogoutSAML2 Local/Logout
 
 Handler type=MetadataGenerator Location=/Metadata 
 signing=false/
 Handler type=Status Location=/Status /
 Handler type=Session Location=/Session 
 showAttributeValues=false/
 Handler type=DiscoveryFeed Location=/DiscoFeed/
 /Sessions
 
 Errors supportContact=root@localhost
 logoLocation=/shibboleth-sp/logo.jpg
 styleSheet=/shibboleth-sp/main.css/
 
 AttributeExtractor type=XML validate=true 
 path=attribute-map.xml/
 AttributeResolver type=Query subjectMatch=true/
 AttributeFilter type=XML validate=true 
 path=attribute-policy.xml/
 CredentialResolver type=File key=sp-key.pem 
 certificate=sp-cert.pem/
 
 ApplicationOverride id=idp_1 
 entityID=https://MYSERVER:5000/Shibboleth;
 
 Sessions lifetime=28800 timeout=3600 checkAddress=false
 relayState=ss:mem handlerSSL=false
 SSO 
 entityID=https://portal4.mss.internalidp.com/idp/shibboleth; ECP=true
 SAML2 SAML1
 /SSO
 LogoutSAML2 Local/Logout
 /Sessions
 
 MetadataProvider type=XML 
 uri=https://portal4.mss.internalidp.com/idp/shibboleth;
  backingFilePath=/tmp/tata.xml reloadInterval=18 /
 /ApplicationOverride
 
 ApplicationOverride id=idp_2 
 entityID=https://MYSERVER:5000/Shibboleth;
 Sessions lifetime=28800 timeout=3600 checkAddress=false
 relayState=ss:mem handlerSSL=false
 SSO entityID=https://idp.testshib.org/idp/shibboleth; 
 ECP=true
 SAML2 SAML1
 /SSO
 
 LogoutSAML2 Local/Logout
 /Sessions
 
 MetadataProvider type=XML 
 uri=https://idp.testshib.org/idp/shibboleth;  
 backingFilePath=/tmp/testshib.xml reloadInterval=18/
 /ApplicationOverride
 /ApplicationDefaults
 
 SecurityPolicyProvider type=XML validate=true 
 path=security-policy.xml/
 ProtocolProvider type=XML validate=true reloadChanges=false 
 path=protocols.xml/
 /SPConfighere is my wsgi-keystoneWSGIScriptAlias /keystone/main  
 /var/www/cgi-bin/keystone/main
 WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
 
 Location /keystone
 # NSSRequireSSL
 SSLRequireSSL
 Authtype none
 /Location

Re: [openstack-dev] Need help in configuring keystone

2015-02-27 Thread Akshik DBK
Hi Marco,
Thanks for responding, Ive cleared the log file and have restarted the shibd 
service.
the metadata file got created, i've attached the log file and metadata file as 
well.
Regards,Akshik

Date: Fri, 27 Feb 2015 15:12:39 +0100
From: marco.farge...@ct.infn.it
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] Need help in configuring keystone

Hi Akshik,
 
the metadata error is in your SP, if the error was on testshib you
should not be redirected back after the login. Maybe there is a configuration
problem with shibboleth. Try to restart the service and look at shibboleth logs.
Check also the metadata of testshib are downloaded correctly because from the 
error
it seems you have not the metadata of testshib.
 
Cheers,
Marco
 
On Fri, Feb 27, 2015 at 06:39:30PM +0530, Akshik DBK wrote:
 Hi Marek ,
 I've registered with testshib, this is my keystone-apache-error.log log i get 
 [error] [client 121.243.33.212] No MetadataProvider available., referer: 
 https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
 From: aks...@outlook.com
 To: openstack-dev@lists.openstack.org
 Date: Fri, 27 Feb 2015 15:56:57 +0530
 Subject: [openstack-dev] Need help in configuring keystone
 
 
 
 
 Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu 
 12.04 with Icehouse,im following http://docs.openstack.org/developer/k...when 
 im trying to configure keystone with two idp,when i access 
 https://MYSERVER:5000/v3/OS-FEDERATIO...it gets redirected to testshib.org , 
 it prompts for username and password when the same is given im 
 gettingshibsp::ConfigurationException at ( 
 https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.here 
 is my shibboleth2.xml contentSPConfig 
 xmlns=urn:mace:shibboleth:2.0:native:sp:config
 xmlns:conf=urn:mace:shibboleth:2.0:native:sp:config
 xmlns:saml=urn:oasis:names:tc:SAML:2.0:assertion
 xmlns:samlp=urn:oasis:names:tc:SAML:2.0:protocol
 xmlns:md=urn:oasis:names:tc:SAML:2.0:metadata
 clockSkew=180
 
 ApplicationDefaults entityID=https://MYSERVER:5000/Shibboleth;
 Sessions lifetime=28800 timeout=3600 checkAddress=false 
 relayState=ss:mem handlerSSL=false
 SSO entityID=https://idp.testshib.org/idp/shibboleth; 
 ECP=true
 SAML2 SAML1
 /SSO
 
 LogoutSAML2 Local/Logout
 
 Handler type=MetadataGenerator Location=/Metadata 
 signing=false/
 Handler type=Status Location=/Status /
 Handler type=Session Location=/Session 
 showAttributeValues=false/
 Handler type=DiscoveryFeed Location=/DiscoFeed/
 /Sessions
 
 Errors supportContact=root@localhost
 logoLocation=/shibboleth-sp/logo.jpg
 styleSheet=/shibboleth-sp/main.css/
 
 AttributeExtractor type=XML validate=true 
 path=attribute-map.xml/
 AttributeResolver type=Query subjectMatch=true/
 AttributeFilter type=XML validate=true 
 path=attribute-policy.xml/
 CredentialResolver type=File key=sp-key.pem 
 certificate=sp-cert.pem/
 
 ApplicationOverride id=idp_1 
 entityID=https://MYSERVER:5000/Shibboleth;
 
 Sessions lifetime=28800 timeout=3600 checkAddress=false
 relayState=ss:mem handlerSSL=false
 SSO 
 entityID=https://portal4.mss.internalidp.com/idp/shibboleth; ECP=true
 SAML2 SAML1
 /SSO
 LogoutSAML2 Local/Logout
 /Sessions
 
 MetadataProvider type=XML 
 uri=https://portal4.mss.internalidp.com/idp/shibboleth;
  backingFilePath=/tmp/tata.xml reloadInterval=18 /
 /ApplicationOverride
 
 ApplicationOverride id=idp_2 
 entityID=https://MYSERVER:5000/Shibboleth;
 Sessions lifetime=28800 timeout=3600 checkAddress=false
 relayState=ss:mem handlerSSL=false
 SSO entityID=https://idp.testshib.org/idp/shibboleth; 
 ECP=true
 SAML2 SAML1
 /SSO
 
 LogoutSAML2 Local/Logout
 /Sessions
 
 MetadataProvider type=XML 
 uri=https://idp.testshib.org/idp/shibboleth;  
 backingFilePath=/tmp/testshib.xml reloadInterval=18/
 /ApplicationOverride
 /ApplicationDefaults
 
 SecurityPolicyProvider type=XML validate=true 
 path=security-policy.xml/
 ProtocolProvider type=XML validate=true reloadChanges=false 
 path=protocols.xml/
 /SPConfighere is my wsgi-keystoneWSGIScriptAlias /keystone/main  
 /var/www/cgi-bin/keystone/main
 WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
 
 Location /keystone
 # NSSRequireSSL
 SSLRequireSSL
 Authtype none
 /Location
 
 Location /Shibboleth.sso
 SetHandler shib
 /Location
 
 Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth
 ShibRequestSetting requireSession 1
 ShibRequestSetting applicationId idp_1
 AuthType shibboleth

Re: [openstack-dev] Need help in configuring keystone

2015-02-27 Thread Marco Fargetta
Hi Akshik,

the metadata error is in your SP, if the error was on testshib you
should not be redirected back after the login. Maybe there is a configuration
problem with shibboleth. Try to restart the service and look at shibboleth logs.
Check also the metadata of testshib are downloaded correctly because from the 
error
it seems you have not the metadata of testshib.

Cheers,
Marco

On Fri, Feb 27, 2015 at 06:39:30PM +0530, Akshik DBK wrote:
 Hi Marek ,
 I've registered with testshib, this is my keystone-apache-error.log log i get 
 [error] [client 121.243.33.212] No MetadataProvider available., referer: 
 https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
 From: aks...@outlook.com
 To: openstack-dev@lists.openstack.org
 Date: Fri, 27 Feb 2015 15:56:57 +0530
 Subject: [openstack-dev] Need help in configuring keystone
 
 
 
 
 Hi I'm new to SAML, trying to integrate keystone with SAML, Im using Ubuntu 
 12.04 with Icehouse,im following http://docs.openstack.org/developer/k...when 
 im trying to configure keystone with two idp,when i access 
 https://MYSERVER:5000/v3/OS-FEDERATIO...it gets redirected to testshib.org , 
 it prompts for username and password when the same is given im 
 gettingshibsp::ConfigurationException at ( 
 https://MYSERVER:5000/Shibboleth.sso/... ) No MetadataProvider available.here 
 is my shibboleth2.xml contentSPConfig 
 xmlns=urn:mace:shibboleth:2.0:native:sp:config
 xmlns:conf=urn:mace:shibboleth:2.0:native:sp:config
 xmlns:saml=urn:oasis:names:tc:SAML:2.0:assertion
 xmlns:samlp=urn:oasis:names:tc:SAML:2.0:protocol
 xmlns:md=urn:oasis:names:tc:SAML:2.0:metadata
 clockSkew=180
 
 ApplicationDefaults entityID=https://MYSERVER:5000/Shibboleth;
 Sessions lifetime=28800 timeout=3600 checkAddress=false 
 relayState=ss:mem handlerSSL=false
 SSO entityID=https://idp.testshib.org/idp/shibboleth; 
 ECP=true
 SAML2 SAML1
 /SSO
 
 LogoutSAML2 Local/Logout
 
 Handler type=MetadataGenerator Location=/Metadata 
 signing=false/
 Handler type=Status Location=/Status /
 Handler type=Session Location=/Session 
 showAttributeValues=false/
 Handler type=DiscoveryFeed Location=/DiscoFeed/
 /Sessions
 
 Errors supportContact=root@localhost
 logoLocation=/shibboleth-sp/logo.jpg
 styleSheet=/shibboleth-sp/main.css/
 
 AttributeExtractor type=XML validate=true 
 path=attribute-map.xml/
 AttributeResolver type=Query subjectMatch=true/
 AttributeFilter type=XML validate=true 
 path=attribute-policy.xml/
 CredentialResolver type=File key=sp-key.pem 
 certificate=sp-cert.pem/
 
 ApplicationOverride id=idp_1 
 entityID=https://MYSERVER:5000/Shibboleth;
 
 Sessions lifetime=28800 timeout=3600 checkAddress=false
 relayState=ss:mem handlerSSL=false
 SSO 
 entityID=https://portal4.mss.internalidp.com/idp/shibboleth; ECP=true
 SAML2 SAML1
 /SSO
 LogoutSAML2 Local/Logout
 /Sessions
 
 MetadataProvider type=XML 
 uri=https://portal4.mss.internalidp.com/idp/shibboleth;
  backingFilePath=/tmp/tata.xml reloadInterval=18 /
 /ApplicationOverride
 
 ApplicationOverride id=idp_2 
 entityID=https://MYSERVER:5000/Shibboleth;
 Sessions lifetime=28800 timeout=3600 checkAddress=false
 relayState=ss:mem handlerSSL=false
 SSO entityID=https://idp.testshib.org/idp/shibboleth; 
 ECP=true
 SAML2 SAML1
 /SSO
 
 LogoutSAML2 Local/Logout
 /Sessions
 
 MetadataProvider type=XML 
 uri=https://idp.testshib.org/idp/shibboleth;  
 backingFilePath=/tmp/testshib.xml reloadInterval=18/
 /ApplicationOverride
 /ApplicationDefaults
 
 SecurityPolicyProvider type=XML validate=true 
 path=security-policy.xml/
 ProtocolProvider type=XML validate=true reloadChanges=false 
 path=protocols.xml/
 /SPConfighere is my wsgi-keystoneWSGIScriptAlias /keystone/main  
 /var/www/cgi-bin/keystone/main
 WSGIScriptAlias /keystone/admin  /var/www/cgi-bin/keystone/admin
 
 Location /keystone
 # NSSRequireSSL
 SSLRequireSSL
 Authtype none
 /Location
 
 Location /Shibboleth.sso
 SetHandler shib
 /Location
 
 Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth
 ShibRequestSetting requireSession 1
 ShibRequestSetting applicationId idp_1
 AuthType shibboleth
 ShibRequireAll On
 ShibRequireSession On
 ShibExportAssertion Off
 Require valid-user
 /Location
 
 Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth
 ShibRequestSetting requireSession 1
 ShibRequestSetting applicationId idp_2
 AuthType shibboleth
 ShibRequireAll On
 ShibRequireSession On
 

Re: [openstack-dev] Need help in configuring keystone

2015-02-27 Thread Marek Denis

Hi again,

Did you upload Metadata generated by your Service Provider (Keystone) to 
testshib Identity Providers?

How did you generate /etc/shibboleth2/shibboleth2.xml file?

Did you read http://testshib.org/register.html ?

cheers,

Marek

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] Need help in configuring keystone

2015-02-27 Thread Akshik DBK
Hi,
I did upload the Metadata generated by keystone by accessing 
https://115.112.68.53:5000/Shibboleth.sso/Metadata
have attached the copy of it, and did uploaded it to the 
http://testshib.org/register.html
Regards,Akshik

 Date: Fri, 27 Feb 2015 14:31:36 +0100
 From: marek.de...@cern.ch
 To: openstack-dev@lists.openstack.org
 Subject: Re: [openstack-dev] Need help in configuring keystone
 
 Hi again,
 
 Did you upload Metadata generated by your Service Provider (Keystone) to 
 testshib Identity Providers?
 How did you generate /etc/shibboleth2/shibboleth2.xml file?
 
 Did you read http://testshib.org/register.html ?
 
 cheers,
 
 Marek
 
 __
 OpenStack Development Mailing List (not for usage questions)
 Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
  

115.112.68.53
Description: Binary data
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] Need help in configuring keystone

2015-02-27 Thread Marek Denis

Hi Akshik,

Did you upload your Metadata file to the testshib server?
You are advised to follow steps starting from here: 
http://testshib.org/register.html


For the record, Keystone will act here as a Service Provider,  so you 
need to follow testhib docs/tutorials for setting your SP (Service Provider)


Let me know if that was your issue.
If not, a more detailed steps of how your configured your Keystone 
acting as a Service Provider would be more helpful.


Marek Denis

On 27.02.2015 11:26, Akshik DBK wrote:


Hi I'm new to SAML, trying to integrate keystone with SAML, Im using 
Ubuntu 12.04 with Icehouse,


im following http://docs.openstack.org/developer/k... 
http://docs.openstack.org/developer/keystone/extensions/shibboleth.html


when im trying to configure keystone with two idp,

when i access https://MYSERVER:5000/v3/OS-FEDERATIO... 
https://myserver:5000/v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth


it gets redirected to testshib.org http://testshib.org/ , it prompts 
for username and password when the same is given im getting


*shibsp::ConfigurationException at ( 
https://MYSERVER:5000/Shibboleth.sso/... 
https://myserver:5000/Shibboleth.sso/SAML2/POST ) No 
MetadataProvider available.*


here is my shibboleth2.xml content

|SPConfig  xmlns=urn:mace:shibboleth:2.0:native:sp:config
 xmlns:conf=urn:mace:shibboleth:2.0:native:sp:config
 xmlns:saml=urn:oasis:names:tc:SAML:2.0:assertion
 xmlns:samlp=urn:oasis:names:tc:SAML:2.0:protocol 
 xmlns:md=urn:oasis:names:tc:SAML:2.0:metadata

 clockSkew=180

 ApplicationDefaults  entityID=https://MYSERVER:5000/Shibboleth;
 Sessions  lifetime=28800  timeout=3600  checkAddress=false  
relayState=ss:mem  handlerSSL=false
 SSO  entityID=https://idp.testshib.org/idp/shibboleth;  
ECP=true
 SAML2 SAML1
 /SSO

 LogoutSAML2 Local/Logout

 Handler  type=MetadataGenerator  Location=/Metadata  
signing=false/
 Handler  type=Status  Location=/Status  /
 Handler  type=Session  Location=/Session  
showAttributeValues=false/
 Handler  type=DiscoveryFeed  Location=/DiscoFeed/
 /Sessions

 Errors  supportContact=root@localhost
 logoLocation=/shibboleth-sp/logo.jpg
 styleSheet=/shibboleth-sp/main.css/

 AttributeExtractor  type=XML  validate=true  
path=attribute-map.xml/
 AttributeResolver  type=Query  subjectMatch=true/
 AttributeFilter  type=XML  validate=true  
path=attribute-policy.xml/
 CredentialResolver  type=File  key=sp-key.pem  
certificate=sp-cert.pem/

 ApplicationOverride  id=idp_1  
entityID=https://MYSERVER:5000/Shibboleth;

 Sessions  lifetime=28800  timeout=3600  checkAddress=false
 relayState=ss:mem  handlerSSL=false
 SSO  entityID=https://portal4.mss.internalidp.com/idp/shibboleth;  
ECP=true
 SAML2 SAML1
 /SSO
 LogoutSAML2 Local/Logout
 /Sessions

 MetadataProvider  type=XML  
uri=https://portal4.mss.internalidp.com/idp/shibboleth;
  backingFilePath=/tmp/tata.xml  reloadInterval=18  /
 /ApplicationOverride

 ApplicationOverride  id=idp_2  
entityID=https://MYSERVER:5000/Shibboleth;
 Sessions  lifetime=28800  timeout=3600  checkAddress=false
 relayState=ss:mem  handlerSSL=false
 SSO  entityID=https://idp.testshib.org/idp/shibboleth;  
ECP=true
 SAML2 SAML1
 /SSO

 LogoutSAML2 Local/Logout
 /Sessions

 MetadataProvider  type=XML  uri=https://idp.testshib.org/idp/shibboleth;   
 backingFilePath=/tmp/testshib.xml  reloadInterval=18/

 /ApplicationOverride
 /ApplicationDefaults

 SecurityPolicyProvider  type=XML  validate=true  
path=security-policy.xml/
 ProtocolProvider  type=XML  validate=true  reloadChanges=false  
path=protocols.xml/
/SPConfig|

here is my wsgi-keystone

|WSGIScriptAlias  /keystone/main/var/www/cgi-bin/keystone/main
WSGIScriptAlias  /keystone/admin/var/www/cgi-bin/keystone/admin

Location  /keystone
# NSSRequireSSL
SSLRequireSSL
Authtype  none
/Location

Location /Shibboleth.sso
 SetHandler  shib
/Location

Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth
 ShibRequestSetting  requireSession1
 ShibRequestSetting  applicationId idp_1
 AuthType  shibboleth
 ShibRequireAll  On
 ShibRequireSession  On
 ShibExportAssertion  Off
 Require  valid-user
/Location

Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth
 ShibRequestSetting  requireSession1
 ShibRequestSetting  applicationId idp_2
 AuthType  shibboleth
 ShibRequireAll  On
 ShibRequireSession  On
 ShibExportAssertion  Off
 Require  valid-user
/Location|