i have tow questions
(1)when access the idp ,the certification is wrong
(2)the access flow has some problems, the last response is not json,that's a xml
the federation identity document dosen't use a certificate.but i got a lot of problems.when i get the shibboleth's metadata ,i found i cant use the default controller:5000,i got 404 error.so i use ssl ,change 5000 to 443 then the https://controller/Shibboleth.sso/Metadata works.
i execute these commands
export OS_CACERT=/etc/keystone/ssl/ca.crt
export OS_AUTH_TYPE=v3samlpassword
export OS_IDENTITY_PROVIDER=samltest
export OS_IDENTITY_PROVIDER_URL=https://samltest.id/idp/profile/SAML2/SOAP/ECP
export OS_PROTOCOL=saml2
export OS_USERNAME=morty
export OS_PASSWORD=panic
export OS_AUTH_URL=https://controller/v3
export OS_IDENTITY_API_VERSION=3
openstack federation project list
but it doesnt work well
it firstly access
https://controller:443 "GET /v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth HTTP/1.1" 302 424
then redirect to
https://samltest.id:443 "GET /saml/idp?entityID=https%3A%2F%2Fcontroller%2Fshibboleth&return=https%3A%2F%2Fcontroller%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253A21db77b874f0794ffbb617149c260a0bf11ca1655154d63eba78247fa7e1e7ee HTTP/1.1" 200 7458
i change verify=None,it can return 200.if not,it'll return SSL verified error,i think this is a bug.it doesnt work well when i set ssl on.
i dont know the process of this feature. the diagram of the document is not same as the process i meet.
the mellon process is like this
Starting new HTTP connection (1): controller:5000
http://controller:5000 "GET /v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth HTTP/1.1" 200 3565
Starting new HTTPS connection (1): samltest.id:443
https://samltest.id:443 "POST /idp/profile/SAML2/SOAP/ECP HTTP/1.1" 200 None
http://controller:5000 "POST /v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth/mellon/paosResponse HTTP/1.1" 303 438
Starting new HTTP connection (2): controller:5000
http://controller:5000 "GET /v3/mellon/login?ReturnTo=http%3A%2F%2Fcontroller%3A5000%2Fv3%2FOS%2DFEDERATION%2Fidentity_providers%2Fsamltest%2Fprotocols%2Fsaml2%2Fauth%2Fmellon%2FpaosResponse&IdP=https%3A%2F%2Fsamltest.id%2Fsaml%2Fidp HTTP/1.1" 303 1460
i work with the federation identity a week,but it didn't work.
i have read the 8 saml docs,they are difficult to understand,they have no help to solve the problems
who can help me ,any advice or knowledge about what i came across ?
if who can help to clear up the whole flow,much thanks.
who successfully configured this feature, i wish you to send me the access flow.use --debug
thank you very much to read!!!
Starting new HTTPS connection (1): controller:443
https://controller:443 "GET /v3/OS-FEDERATION/identity_providers/samltest/protocols/saml2/auth HTTP/1.1" 302 424
RESP: [302] Cache-Control: private,no-store,no-cache,max-age=0 Connection: Keep-Alive Content-Length: 424 Content-Type: text/html; charset=iso-8859-1 Date: Mon, 12 Sep 2022 13:37:07 GMT Expires: Wed, 01 Jan 1997 12:00:00 GMT Keep-Alive: timeout=5, max=100 Location: https://samltest.id/saml/idp?entityID=https%3A%2F%2Fcontroller%2Fshibboleth&return=https%3A%2F%2Fcontroller%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253A21db77b874f0794ffbb617149c260a0bf11ca1655154d63eba78247fa7e1e7ee Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_wsgi/3.4 Python/2.7.5
RESP BODY: Omitted, Content-Type is set to text/html; charset=iso-8859-1. Only application/json responses have their bodies logged.
> /usr/lib/python2.7/site-packages/keystoneauth1/session.py(1000)_send_request()
-> resp = self.session.request(method, url, **kwargs)
(Pdb) s
--Call--
> /usr/lib/python2.7/site-packages/requests/sessions.py(466)request()
-> def request(self, method, url,
(Pdb) p verify
'/etc/keystone/ssl/ca.crt'
(Pdb) verify=None
(Pdb) c
Starting new HTTPS connection (1): samltest.id:443
https://samltest.id:443 "GET /saml/idp?entityID=https%3A%2F%2Fcontroller%2Fshibboleth&return=https%3A%2F%2Fcontroller%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253A21db77b874f0794ffbb617149c260a0bf11ca1655154d63eba78247fa7e1e7ee HTTP/1.1" 200 7458
RESP: [200] Accept-Ranges: bytes Connection: keep-alive Content-Length: 7458 Content-Type: application/samlmetadata+xml Date: Mon, 12 Sep 2022 13:37:21 GMT ETag: "1d22-5bd3d0e117267" Last-Modified: Thu, 11 Mar 2021 06:40:10 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/7.4.11
RESP BODY: Omitted, Content-Type is set to application/samlmetadata+xml. Only application/json responses have their bodies logged.
> /usr/lib/python2.7/site-packages/keystoneauth1/access/access.py(38)create()
-> body = resp.json()
(Pdb) p resp.content
'<!-- The entity describing the SAMLtest IdP, named by the entityID below --> \n\n<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="SAMLtestIdP" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xml="http://www.w3.org/XML/1998/namespace" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" validUntil="2100-01-01T00:00:42Z" entityID="https://samltest.id/saml/idp">\n\n <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol urn:mace:shibboleth:1.0">\n\n <Extensions>\n<!-- An enumeration of the domains this IdP is able to assert scoped attributes, which are\ntypically those with a @ delimiter, like mail. Most IdP\'s serve only a single domain. It\'s crucial\nfor the SP to check received attribute values match permitted domains to prevent a recognized IdP from \nsending attribute values for which a different recognized IdP is authoritative. -->\n <shibmd:Scope regexp="false">samltest.id</shibmd:Scope>\n\n<!-- Display information about this IdP that can be used by SP\'s and discovery\nservices to identify the IdP meaningfully for end users --> \n <mdui:UIInfo>\n <mdui:DisplayName xml:lang="en">SAMLtest IdP</mdui:DisplayName>\n <mdui:Description xml:lang="en">A free and basic IdP for testing SAML deployments</mdui:Description>\n <mdui:Logo height="90" width="225">https://samltest.id/saml/logo.png</mdui:Logo>\n </mdui:UIInfo>\n </Extensions>\n\n <KeyDescriptor use="signing">\n <ds:KeyInfo>\n <ds:X509Data>\n <ds:X509Certificate>\nMIIDETCCAfmgAwIBAgIUZRpDhkNKl5eWtJqk0Bu1BgTTargwDQYJKoZIhvcNAQEL\nBQAwFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwHhcNMTgwODI0MjExNDEwWhcNMzgw\nODI0MjExNDEwWjAWMRQwEgYDVQQDDAtzYW1sdGVzdC5pZDCCASIwDQYJKoZIhvcN\nAQEBBQADggEPADCCAQoCggEBAJrh9/PcDsiv3UeL8Iv9rf4WfLPxuOm9W6aCntEA\n8l6c1LQ1Zyrz+Xa/40ZgP29ENf3oKKbPCzDcc6zooHMji2fBmgXp6Li3fQUzu7yd\n+nIC2teejijVtrNLjn1WUTwmqjLtuzrKC/ePoZyIRjpoUxyEMJopAd4dJmAcCq/K\nk2eYX9GYRlqvIjLFoGNgy2R4dWwAKwljyh6pdnPUgyO/WjRDrqUBRFrLQJorR2kD\nc4seZUbmpZZfp4MjmWMDgyGM1ZnR0XvNLtYeWAyt0KkSvFoOMjZUeVK/4xR74F8e\n8ToPqLmZEg9ZUx+4z2KjVK00LpdRkH9Uxhh03RQ0FabHW6UCAwEAAaNXMFUwHQYD\nVR0OBBYEFJDbe6uSmYQScxpVJhmt7PsCG4IeMDQGA1UdEQQtMCuCC3NhbWx0ZXN0\nLmlkhhxodHRwczovL3NhbWx0ZXN0LmlkL3NhbWwvaWRwMA0GCSqGSIb3DQEBCwUA\nA4IBAQBNcF3zkw/g51q26uxgyuy4gQwnSr01Mhvix3Dj/Gak4tc4XwvxUdLQq+jC\ncxr2Pie96klWhY/v/JiHDU2FJo9/VWxmc/YOk83whvNd7mWaNMUsX3xGv6AlZtCO\nL3JhCpHjiN+kBcMgS5jrtGgV1Lz3/1zpGxykdvS0B4sPnFOcaCwHe2B9SOCWbDAN\nJXpTjz1DmJO4ImyWPJpN1xsYKtm67Pefxmn0ax0uE2uuzq25h0xbTkqIQgJzyoE/\nDPkBFK1vDkMfAW11dQ0BXatEnW7Gtkc0lh2/PIbHWj4AzxYMyBf5Gy6HSVOftwjC\nvoQR2qr2xJBixsg+MIORKtmKHLfU\n </ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n\n </KeyDescriptor>\n <KeyDescriptor use="signing">\n <ds:KeyInfo>\n <ds:X509Data>\n <ds:X509Certificate>\nMIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEB\nCwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4\nMDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3\nDQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0\nThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOE\njj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1kl\nbN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF\n/cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8n\nspXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0G\nA1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVz\ndC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF\nAAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn\n7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHT\nTNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nbl\nD1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcU\nZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu\n3kXPjhSfj1AJGR1l9JGvJrHki1iHTA==\n </ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n\n </KeyDescriptor>\n <KeyDescriptor use="encryption">\n <ds:KeyInfo>\n <ds:X509Data>\n <ds:X509Certificate>\nMIIDEjCCAfqgAwIBAgIVAPVbodo8Su7/BaHXUHykx0Pi5CFaMA0GCSqGSIb3DQEB\nCwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4\nMDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3\nDQEBAQUAA4IBDwAwggEKAoIBAQCQb+1a7uDdTTBBFfwOUun3IQ9nEuKM98SmJDWa\nMwM877elswKUTIBVh5gB2RIXAPZt7J/KGqypmgw9UNXFnoslpeZbA9fcAqqu28Z4\nsSb2YSajV1ZgEYPUKvXwQEmLWN6aDhkn8HnEZNrmeXihTFdyr7wjsLj0JpQ+VUlc\n4/J+hNuU7rGYZ1rKY8AA34qDVd4DiJ+DXW2PESfOu8lJSOteEaNtbmnvH8KlwkDs\n1NvPTsI0W/m4SK0UdXo6LLaV8saIpJfnkVC/FwpBolBrRC/Em64UlBsRZm2T89ca\nuzDee2yPUvbBd5kLErw+sC7i4xXa2rGmsQLYcBPhsRwnmBmlAgMBAAGjVzBVMB0G\nA1UdDgQWBBRZ3exEu6rCwRe5C7f5QrPcAKRPUjA0BgNVHREELTArggtzYW1sdGVz\ndC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsF\nAAOCAQEABZDFRNtcbvIRmblnZItoWCFhVUlq81ceSQddLYs8DqK340//hWNAbYdj\nWcP85HhIZnrw6NGCO4bUipxZXhiqTA/A9d1BUll0vYB8qckYDEdPDduYCOYemKkD\ndmnHMQWs9Y6zWiYuNKEJ9mf3+1N8knN/PK0TYVjVjXAf2CnOETDbLtlj6Nqb8La3\nsQkYmU+aUdopbjd5JFFwbZRaj6KiHXHtnIRgu8sUXNPrgipUgZUOVhP0C0N5OfE4\nJW8ZBrKgQC/6vJ2rSa9TlzI6JAa5Ww7gMXMP9M+cJUNQklcq+SBnTK8G+uBHgPKR\nzBDsMIEzRtQZm4GIoHJae4zmnCekkQ==\n </ds:X509Certificate>\n </ds:X509Data>\n </ds:KeyInfo>\n\n </KeyDescriptor>\n\n<!-- An endpoint for artifact resolution. Please see Wikipedia for more details about SAML\n artifacts and when you may find them useful. -->\n\n <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ArtifactResolution" index="1" />\n\n<!-- A set of endpoints where the IdP can receive logout messages. These must match the public\nfacing addresses if this IdP is hosted behind a reverse proxy. --> \n <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SLO"/>\n <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SLO"/>\n <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SLO"/>\n\n<!-- A set of endpoints the SP can send AuthnRequests to in order to trigger user authentication. -->\n <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://samltest.id/idp/profile/Shibboleth/SSO"/>\n <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltest.id/idp/profile/SAML2/POST/SSO"/>\n <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://samltest.id/idp/profile/SAML2/POST-SimpleSign/SSO"/>\n <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltest.id/idp/profile/SAML2/Redirect/SSO"/>\n <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://samltest.id/idp/profile/SAML2/SOAP/ECP"/>\n\n </IDPSSODescriptor>\n\n</EntityDescriptor>\n'
(Pdb) c
Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/cliff/app.py", line 394, in run_subcommand
self.prepare_to_run_command(cmd)
File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 166, in prepare_to_run_command
return super(OpenStackShell, self).prepare_to_run_command(cmd)
File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 493, in prepare_to_run_command
self.client_manager.auth_ref
File "/usr/lib/python2.7/site-packages/osc_lib/clientmanager.py", line 202, in auth_ref
self._auth_ref = self.auth.get_auth_ref(self.session)
File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/federation.py", line 67, in get_auth_ref
auth_ref = self.get_unscoped_auth_ref(session)
File "/usr/lib/python2.7/site-packages/keystoneauth1/extras/_saml2/v3/saml2.py", line 247, in get_unscoped_auth_ref
return access.create(resp=resp)
File "/usr/lib/python2.7/site-packages/keystoneauth1/access/access.py", line 38, in create
body = resp.json()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 889, in json
self.content.decode(encoding), **kwargs
File "/usr/lib64/python2.7/site-packages/simplejson/__init__.py", line 518, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python2.7/site-packages/simplejson/decoder.py", line 370, in decode
obj, end = self.raw_decode(s)
File "/usr/lib64/python2.7/site-packages/simplejson/decoder.py", line 400, in raw_decode
return self.scan_once(s, idx=_w(s, idx).end())
JSONDecodeError: Expecting value: line 1 column 1 (char 0)
clean_up ListAccessibleProjects: Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 136, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/usr/lib/python2.7/site-packages/cliff/app.py", line 281, in run
result = self.run_subcommand(remainder)
File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 176, in run_subcommand
ret_value = super(OpenStackShell, self).run_subcommand(argv)
File "/usr/lib/python2.7/site-packages/cliff/app.py", line 394, in run_subcommand
self.prepare_to_run_command(cmd)
File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 166, in prepare_to_run_command
return super(OpenStackShell, self).prepare_to_run_command(cmd)
File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 493, in prepare_to_run_command
self.client_manager.auth_ref
File "/usr/lib/python2.7/site-packages/osc_lib/clientmanager.py", line 202, in auth_ref
self._auth_ref = self.auth.get_auth_ref(self.session)
File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/federation.py", line 67, in get_auth_ref
auth_ref = self.get_unscoped_auth_ref(session)
File "/usr/lib/python2.7/site-packages/keystoneauth1/extras/_saml2/v3/saml2.py", line 247, in get_unscoped_auth_ref
return access.create(resp=resp)
File "/usr/lib/python2.7/site-packages/keystoneauth1/access/access.py", line 38, in create
body = resp.json()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 889, in json
self.content.decode(encoding), **kwargs
File "/usr/lib64/python2.7/site-packages/simplejson/__init__.py", line 518, in loads
return _default_decoder.decode(s)
File "/usr/lib64/python2.7/site-packages/simplejson/decoder.py", line 370, in decode
obj, end = self.raw_decode(s)
File "/usr/lib64/python2.7/site-packages/simplejson/decoder.py", line 400, in raw_decode
return self.scan_once(s, idx=_w(s, idx).end())
JSONDecodeError: Expecting value: line 1 column 1 (char 0)
i resolved the problem. use shibboleth and samltest. access token from samltest works well.but i still think there's problems on the openstack cmd.