Federation Protocol saml2 fails on Rocky
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Medium
|
Unassigned |
Bug Description
In previous releases when setting up federation one could do the following:
openstack federation protocol create saml2 --mapping mymapping --identity-provider myidp
Then in the keystone.conf you could add:
[auth]
methods = password,
saml2 = keystone.
That is not the case on Rocky. This will give you a 500 with the following error:
stevedore.named [-] Could not load keystone.
To work around this issue I had to delete my mapping called "saml2", remake it naming it "mapped" then update horizon, and apache configs accordingly. Then in the keystone.conf file I had to remove the "methods" line and the "saml2" line. Once I restarted apache then Federation worked as expected.
Im not sure if this is a bug or if the way I was doing it before was hanging around as legacy from when "saml2" had been removed but I couldnt find anything release notes wise about the change, and the docs examples still reference "saml2"...
tags: | added: federation |
You should not need to add the `saml2 = ...` line, as saml2 is already configured as an entrypoint for the Mapped plugin: http:// git.openstack. org/cgit/ openstack/ keystone/ tree/setup. cfg?h=14. 0.0#n97
This still would be useful for configuring arbitrary auth method names. I think https:/ /review. openstack. org/350815 is the change that removed support for this, we might want to think about reverting it.