Hi Sreeja, I think this is happening because your SAML namespace prefixes is being reassigned. The line of code " *file_path = fileutils.write_to_tempfile(assertion.to_string())*" is raising the exception. The link https://review.openstack.org/gitweb?p=openstack%2Fkeystone.git;a=commitdiff;h=acdf034eb189773494849c4b7798f4bf59ea8517 might help you out. Try patching your keystone with the 2 files and even then if the problem persists, let me know.
Thanks. Nitish B. Regards, Nitish B. On Mon, Sep 7, 2015 at 3:42 PM, sreeja kannagundla < [email protected]> wrote: > Hi > > This is what my log file looks like: > > INFO keystone.common.wsgi [-] POST > http://keystone:5000/v3/auth/OS-FEDERATION/saml2/ecp > ERROR keystone.contrib.federation.idp [-] Error when signing assertion, > reason: Command '['xmlsec1', '--sign', '--privkey-pem', > '/etc/keystone/ssl/private/cakey.pem,/etc/keystone/ssl/certs/ca.pem', > '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' returned non-zero exit status > 1 > 2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An > unexpected error prevented the server from fulfilling your request. > > and the certificates ca.pem and cakey.pem are present in the > /etc/keystone/ssl/certs/ and /etc/keystone/ssl/private/ > > This error is raised when subprocess.checkoutput method is called from > sign_assertion method > > and following is my saml section in keystone.conf : > > [saml] > > certfile = /etc/keystone/ssl/certs/ca.pem > > keyfile = /etc/keystone/ssl/private/cakey.pem > > idp_entity_id = http://keystone.idp/v3/OS-FEDERATION/saml2/idp > > idp_sso_endpoint = http://keystone.idp/v3/OS-FEDERATION/saml2/sso > > idp_metadata_path = /etc/keystone/keystone_idp_metadata.xml > > > On Mon, Sep 7, 2015 at 2:28 PM, nithish B <[email protected]> wrote: > >> Hi Sreeja, >> It seems like your private key and/or the ssl certificate you use to auth >> does not exist. If you are indeed using key-pair based authentication, make >> sure you have the key "signing_key.pem" at the mentioned location, i.e. at >> /etc/ssl/private >> >> If this doesn't help, can you then just share a bit more on your setup. >> >> Thanks. >> Nitish B. >> >> Regards, >> Nitish B. >> >> On Mon, Sep 7, 2015 at 1:15 PM, sreeja kannagundla < >> [email protected]> wrote: >> >>> While trying to implement federation, I was getting code 500 errors >>> when trying to get a SAML assertion from a Keystone instance >>> configured as identity provider. This is what the Keystone log showed: >>> >>> INFO keystone.common.wsgi [-] POST >>> http://172.29.236.100:5000/v3/auth/OS-FEDERATION/saml2/ecp >>> ERROR keystone.contrib.federation.idp [-] Error when signing assertion, >>> reason: Command '['xmlsec1', '--sign', '--privkey-pem', >>> '/etc/ssl/private/signing_key.pem,/etc/ssl/ >>> certs/signing_cert.pem', '--id-attr:ID', 'Assertion', '/tmp/tmpfXz0D4']' >>> returned non-zero exit status 1 >>> 2015-06-24 21:54:46.482 13569 WARNING keystone.common.wsgi [-] An >>> unexpected error prevented the server from fulfilling your request. >>> >>> It is not clear what the problem is from the logs >>> >>> >>> _______________________________________________ >>> Mailing list: >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> Post to : [email protected] >>> Unsubscribe : >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> >>> >> >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
