While trying to implement federation, I was getting code 500 errors when trying to get a SAML assertion from a Keystone instance configured as identity provider. This is what the Keystone log showed:
2015-06-24 21:54:46.454 13569 INFO keystone.common.wsgi [-] POST http://172.29.236.100:5000/v3/auth/OS-FEDERATION/saml2/ecp
2015-06-24 21:54:46.482 13569 ERROR keystone.contrib.federation.idp [-] Error when signing assertion, reason: Command '['xmlsec1', '--sign', '--privkey-pem', '/etc/ssl/private/signing_key.pem,/etc/ssl/
certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit status 1
2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request.
So this was not very useful. Running the xmlsec1 command from the terminal worked fine, so it was not immediately clear what was the problem.
I would like to suggest that the stderr output from xmlsec1 is added to the log when the command fails, to help in troubleshooting this type of problem. I did not see a way to get that output without editing the Keystone source code.
Once I added the stderr to the log it was easy to figure out what the problem was, the permissions on the private key directory were not compatible with the account under which the xmlsec1 process was executed.
The only quesiton I have with regards to this request is if there are any secure bits that could leak to the logs.
I agree we should probably provide the stderr output *if* there is an issue with XMLsec1