Federation Protocol saml2 fails on Rocky
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
In previous releases when setting up federation one could do the following:
openstack federation protocol create saml2 --mapping mymapping --identity-provider myidp
Then in the keystone.conf you could add:
[auth]
methods = password,
saml2 = keystone.
That is not the case on Rocky. This will give you a 500 with the following error:
stevedore.named [-] Could not load keystone.
To work around this issue I had to delete my mapping called "saml2", remake it naming it "mapped" then update horizon, and apache configs accordingly. Then in the keystone.conf file I had to remove the "methods" line and the "saml2" line. Once I restarted apache then Federation worked as expected.
Im not sure if this is a bug or if the way I was doing it before was hanging around as legacy from when "saml2" had been removed but I couldnt find anything release notes wise about the change, and the docs examples still reference "saml2"...
| Colleen Murphy (krinkle) wrote | #1 |
| Morgan Fainberg (mdrnstm) wrote | #2 |
| Changed in keystone: | |
| status: | New → Incomplete |
| Michael Rice (michael-rice) wrote | #3 |
| Colleen Murphy (krinkle) wrote | #4 |
| Changed in keystone: | |
| status: | Incomplete → Triaged |
| importance: | Undecided → Medium |
| tags: | added: federation |
You should not need to add the `saml2 = ...` line, as saml2 is already configured as an entrypoint for the Mapped plugin: http://
This still would be useful for configuring arbitrary auth method names. I think https:/