GET /OS-FEDERATION/saml2/metadata does not work

Bug #1384382 reported by Rodrigo Duarte on 2014-10-22
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Lance Bragstad

Bug Description

In Kestone-to-Keystone federation, the metadata from Keystone Identity Provider needs to be exchanged with the Keystone Service Provider. This is done via the GET /OS-FEDERATION/saml2/metadata endpoint, which is returning an internal server error (500).

Looking in the log files, seems that keystone.middleware.core is trying to parse the XML body into JSON, which fails:

2014-10-22 18:15:32.177590 20576 DEBUG keystone.common.wsgi [-] arg_dict: {} __call__ /opt/stack/keystone/keystone/common/
2014-10-22 18:15:32.184124 20576 ERROR keystone.middleware.core [-] Serializer failed
2014-10-22 18:15:32.184148 20576 TRACE keystone.middleware.core Traceback (most recent call last):
2014-10-22 18:15:32.184155 20576 TRACE keystone.middleware.core File "/opt/stack/keystone/keystone/middleware/", line 183, in process_response
2014-10-22 18:15:32.184168 20576 TRACE keystone.middleware.core body_obj = jsonutils.loads(response.body)
2014-10-22 18:15:32.184185 20576 TRACE keystone.middleware.core File "/usr/local/lib/python2.7/dist-packages/oslo/serialization/", line 211, in loads
2014-10-22 18:15:32.184194 20576 TRACE keystone.middleware.core return json.loads(encodeutils.safe_decode(s, encoding), **kwargs)
2014-10-22 18:15:32.184201 20576 TRACE keystone.middleware.core File "/usr/lib/python2.7/json/", line 338, in loads
2014-10-22 18:15:32.184207 20576 TRACE keystone.middleware.core return _default_decoder.decode(s)
2014-10-22 18:15:32.184213 20576 TRACE keystone.middleware.core File "/usr/lib/python2.7/json/", line 366, in decode
2014-10-22 18:15:32.184220 20576 TRACE keystone.middleware.core obj, end = self.raw_decode(s, idx=_w(s, 0).end())
2014-10-22 18:15:32.184226 20576 TRACE keystone.middleware.core File "/usr/lib/python2.7/json/", line 384, in raw_decode
2014-10-22 18:15:32.184232 20576 TRACE keystone.middleware.core raise ValueError("No JSON object could be decoded")
2014-10-22 18:15:32.184238 20576 TRACE keystone.middleware.core ValueError: No JSON object could be decoded
2014-10-22 18:15:32.184244 20576 TRACE keystone.middleware.core
2014-10-22 18:15:32.184740 20576 WARNING keystone.common.wsgi [-] <?xml version='1.0' encoding='UTF-8'?>
2014-10-22 18:15:32.184765 <ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="" entityID="http://localhost:5000/v3/OS-FEDERATION/saml2/idp"><ns0:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:KeyDescriptor use="signing"><ns1:KeyInfo><ns1:X509Data><ns1:X509Certificate>...</ns1:X509Certificate></ns1:X509Data></ns1:KeyInfo></ns0:KeyDescriptor><ns0:Organization><ns0:OrganizationName xml:lang="en">rodrigods</ns0:OrganizationName><ns0:OrganizationDisplayName xml:lang="en">rodrigods</ns0:OrganizationDisplayName><ns0:OrganizationURL xml:lang="en">localhost</ns0:OrganizationURL></ns0:Organization><ns0:ContactPerson contactType="technical"><ns0:Company>rodrigods</ns0:Company><ns0:GivenName>Rodrigo</ns0:GivenName><ns0:SurName>Duarte</ns0:SurName><ns0:EmailAddress><email address hidden></ns0:EmailAddress><ns0:TelephoneNumber>555-55-5555</ns0:TelephoneNumber></ns0:ContactPerson><ns0:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</ns0:NameIDFormat><ns0:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI" Location="http://localhost:5000/v3/OS-FEDERATION/saml2/sso" /></ns0:IDPSSODescriptor></ns0:EntityDescriptor>

Changed in keystone:
assignee: nobody → Rodrigo Duarte (rodrigodsousa)
description: updated
description: updated
Revision history for this message
Rodrigo Duarte (rodrigodsousa) wrote :

here are some possible solutions:

In keystone.middleware.core.XmlBodyMiddleware, we can try to use serializer.from_xml() to check if the body is already a XML file. Or we can use serializer.from_xml() in keystone.contrib.federation.controllers.SAMLMetadataV3 to parse the metadata body before calling wsgi.render_response().

Any thoughts?

Revision history for this message
Rodrigo Duarte (rodrigodsousa) wrote :

Just noticed XmlBodyMiddleware is marked for deprecation in Kilo. Waiting for suggestions than =)

Revision history for this message
Lance Bragstad (lbragstad) wrote :

Here is the patch for removing XML support in Kilo.

Revision history for this message
Lance Bragstad (lbragstad) wrote :

... helps to include a link to the patch:

Revision history for this message
Rodrigo Duarte (rodrigodsousa) wrote :

Applying the Xml removal patch, it breaks in the AuthContextMiddleware:

Log file message: 2014-10-23 20:31:06.050548 27643 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request keystone/keystone/middleware/

Revision history for this message
Rodrigo Duarte (rodrigodsousa) wrote :

Missed one config in federation_extension that was causing the issue after aplying the Xml patch. With everything properly set up, it worked!

Changed in keystone:
assignee: Rodrigo Duarte (rodrigodsousa) → Lance Bragstad (lbragstad)
status: New → In Progress
Changed in keystone:
importance: Undecided → High
Revision history for this message
Lance Bragstad (lbragstad) wrote :

The solution for this bug is under review here:

That patch wasn't linked to launchpad for some reason.

Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Dolph Mathews (dolph)
Dolph Mathews (dolph) on 2014-12-02
Changed in keystone:
assignee: Dolph Mathews (dolph) → Lance Bragstad (lbragstad)
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Steve Martinelli (stevemar)
Changed in keystone:
assignee: Steve Martinelli (stevemar) → Lance Bragstad (lbragstad)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Submitter: Jenkins
Branch: master

commit 4fdaab3b975f3c5f9ada7cd8e0621628fee38b70
Author: Lance Bragstad <email address hidden>
Date: Thu Oct 2 18:49:37 2014 +0000

    Remove XML support

    XML support has been deprecated for the last two releases, staged to be
    removed in Kilo.

    implements bp removed-as-of-kilo
    Closes-Bug: #1384382
    Closes-Bug: #1384789

    Change-Id: I95761267b6c0f3052bc52deda6d56fc4b713ea6b

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-12-17
Changed in keystone:
milestone: none → kilo-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-04-30
Changed in keystone:
milestone: kilo-1 → 2015.1.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by Brant Knudson (<email address hidden>) on branch: master
Reason: With merged there's no need for this.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers