Shibboleth doesn't recognize keystone IdP metadata
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Invalid
|
High
|
MOS Keystone |
Bug Description
I have found that keystone to keystone (k2k) federation does not work in MOS 9.0
I have tested this configuration in MOS9.0 and in Devstack and I have the same errors.
How to reproduce:
1. Deploy two MOS 9.0 environments
Configure the first environment as follows (Keystone Idp):
2.1 Install the packages:
# sudo apt-get install xmlsec1
# sudo apt-get install python-pysaml2
2.2 Switch API to v3
echo export OS_AUTH_URL='http://
echo export OS_IDENTITY_
source openrc
2.3 Add the following line into /etc/keystone/
certfile=
keyfile=
idp_entity_id=http://
idp_sso_endpoint=http://
idp_metadata_
idp_organizatio
idp_organizatio
idp_organizatio
2.4 Add the following lines into /etc/keystone/
[filter:
use = egg:keystone#
[pipeline:api_v3]
pipeline = cors sizelimit url_normalize request_id admin_token_auth build_auth_context token_auth json_body ec2_extension_v3 s3_extension federation_
2.5 keystone-manage db_sync --extension federation
2.6 Generate the IdP metadata:
keystone keystone-manage saml_idp_metadata > /etc/keystone/
chown keystone:keystone /etc/keystone/
2.7 Generate ssl:
keystone-manage pki_setup --rebuild --keystone-user keystone --keystone-group keystone
keystone-manage ssl_setup --rebuild --keystone-user keystone --keystone-group keystone
2.8 Restart Apache:
service apache2 restart
3. Configure the secondary environment as follows (Keystone SP):
3.1 Install Shibboleth module:
sudo apt-get install libapache2-
3.2 Add the following line into /etc/apache2/
<VirtualHost 192.168.
…
WSGIScriptAl
<Location /Shibboleth.sso>
SetHandler shib
</Location>
<LocationMatch /v3/OS-
ShibReque
AuthType shibboleth
ShibExpor
Require valid-user
</LocationMatch>
3.3 Add the following lines into /etc/keystone/
[auth]
methods = external,
saml2 = keystone.
[saml2]
remote_id_attribute = Shib-Identity-
[federation]
trusted_dashboard = http://
sso_callback_
3.4 Configure Shibboleth SP.
Add the following lines into /etc/shibboleth
<Attribute name="openstack
<Attribute name="openstack
<Attribute name="openstack
<Attribute name="openstack
<Attribute name="openstack
3.5 Edit the /etc/shibboleth
<ApplicationDef
<SSO ECP="true" entityID="http://
SAML2 SAML1
</SSO>
<MetadataPr
3.6 Start services:
sudo shib-keygen -y 10
sudo apache2 restart
sudo sudo a2enmod shib2
4. Configure IdP and SP in keystone:
4.1 Create mapping.json
[
{
"local": [
{
}
}
],
"remote": [
{
]
}
]
}
]
4.2 Register group and mapping on Keystone.SP
openstack group create federated
openstack project create demo
openstack role add _member_ --group federated --project demo
openstack identity provider create idp1
openstack identity provider
openstack identity provider set --help
openstack identity provider set --remote-id http://
openstack identity provider show idp1
openstack mapping create idp1_mapping --rules mapping1.json
openstack federation protocol create saml2 --identity-provider idp1 --mapping idp1_mapping
4.3 Add the following into /etc/openstack-
WEBSSO_ENABLED = True
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
("saml2", _("TestShib Identity")))
WEBSSO_
OPENSTACK_
OPENSTACK_
4.4 Restart apache
service apache2 restart
4.5 Create service provider in Keystone.IDP
openstack service provider create --auth-url http://
When we open Horizon and choose SAML, we get the following error:
2016-09-21 21:39:34 INFO Shibboleth.Listener : listener service starting
2016-09-21 22:04:47 WARN Shibboleth.
2016-09-21 22:04:47 INFO Shibboleth.
Changed in mos: | |
assignee: | nobody → MOS Keystone (mos-keystone) |
summary: |
- Keystone to Keystone federation does not work in Openstack Mitaka (MOS - 9.0) + Shibboleth doesn't recognize keystone IdP metadata |
tags: | added: area-keystone |
description: | updated |
Changed in mos: | |
importance: | Undecided → High |
milestone: | none → 9.2 |
status: | Incomplete → Confirmed |
There is a question without an answer: https:/ /ask.openstack. org/en/ question/ 69026/websso- with-keystone- idp/