Sergey, It looks looks you have a problem in attributes mapping between your Identity Provider and Service Provider. Please give more information:
- what Identity Provider do you use - what attributes your Idp is sending - what Service Provider do you use - what attributes your SP is expecting On Tue, Jan 10, 2017 at 12:03 AM, Сергей Филатов <filat...@gmail.com> wrote: > Hi all! > I got a problem with my keystone federation setup: > > When I’m logging into Horizon it redirects me into external Identity > Provider, I fill in my credentials and everything is fine. Then I’m being > redirected back to keystone and here’s where it fails: > it goes into TokenlessAuthHelper class, tries to get_scope retrieving > project,domain etc attributes from request.environ. > And it fails coz I don’t have them in my environment variable: everything > that comes from IdP is in HTTP_REFERER header, it looks like this: > > HTTP_REFERER: > *https://idp.local/auth/realms/openstack/protocol/saml?SAMLRequest=hZJbawIxEIX%2FypJ3TVxdbYMKogiCLWIvD30pIY4Ymss2M2vbf99kpda%2B2KeF2TlzznfIGJWztZw1dPBbeG8Aqfh01qNsf0xYE70MCg1KrxygJC0fZndrWXaFrGOgoINlF5LrCoUIkUzwrFgtJux1cbsciZvZoN8TZb%2Bal6KsymrYGwxGpajKsmLFM0RM%2BxOW5EmE2MDKIylPaSR6o47odcTto7iRg6Gshi%2BsWCQG4xW1qgNRjZJzU6uuDVpZrhIqj6CsQx5qyLf0G%2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8bV1mhDrFiGqKHtdML2yiLk5JsEb45wnsx%2BushmjYP4APFoNDxt17%2B5zwlP6WUlhODHPndgbfC8DkhbwDonYdNxDi%2FbjuL06gWzS4ENfV2cckBqp0iN%2BeWV8el93Cf41WITEt9XpnPqn27yxOw6%2B3ZVUlQeTbJM1MnsY576p9QExQYYn54s%2F77C6Tc%3D&RelayState=http%3A%2F%2F192.168.56.102%2Fidentity%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fopenstack.local%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=NmG9oPBMKYc1Ma%2FZI21sWzfW1au5xTbJnuuDpnxPWCGjNXfVN0T2jje1ffcJHGX4aF4zK9SLZs2j0jKFRH3jnzgtLGwvl%2Bxwe3OPzjXltdE9JvMOMlPxazaI8Fb0JZ0pzLS6LnlY5QbA3FesCNoWObKUSsPzL3WuKPoCOwtI8Yd7zdK22pZWWcRvtbKkZuDTLLTtj81vh0oxCpAISs0QQ8CXRNYFto5KkMYZxGIBUPMvq9RDH0RIfXho4HFkdwf0wBCaTt5Vn77HxuYIW%2FGnY0DnAL0DRyQpNW%2BdH9de4QdEugUep8QejdMiQSqb4gWzuOFlKGEtpliV39beLxNCVg%3D%3D > <https://idp.local/auth/realms/openstack/protocol/saml?SAMLRequest=hZJbawIxEIX%2FypJ3TVxdbYMKogiCLWIvD30pIY4Ymss2M2vbf99kpda%2B2KeF2TlzznfIGJWztZw1dPBbeG8Aqfh01qNsf0xYE70MCg1KrxygJC0fZndrWXaFrGOgoINlF5LrCoUIkUzwrFgtJux1cbsciZvZoN8TZb%2Bal6KsymrYGwxGpajKsmLFM0RM%2BxOW5EmE2MDKIylPaSR6o47odcTto7iRg6Gshi%2BsWCQG4xW1qgNRjZJzU6uuDVpZrhIqj6CsQx5qyLf0G%2F9B4ZmBFfPgEbLFNRh9WpK6iTF9O8bV1mhDrFiGqKHtdML2yiLk5JsEb45wnsx%2BushmjYP4APFoNDxt17%2B5zwlP6WUlhODHPndgbfC8DkhbwDonYdNxDi%2FbjuL06gWzS4ENfV2cckBqp0iN%2BeWV8el93Cf41WITEt9XpnPqn27yxOw6%2B3ZVUlQeTbJM1MnsY576p9QExQYYn54s%2F77C6Tc%3D&RelayState=http%3A%2F%2F192.168.56.102%2Fidentity%2Fv3%2Fauth%2FOS-FEDERATION%2Fwebsso%2Fsaml2%3Forigin%3Dhttps%3A%2F%2Fopenstack.local%2Fdashboard%2Fauth%2Fwebsso%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=NmG9oPBMKYc1Ma%2FZI21sWzfW1au5xTbJnuuDpnxPWCGjNXfVN0T2jje1ffcJHGX4aF4zK9SLZs2j0jKFRH3jnzgtLGwvl%2Bxwe3OPzjXltdE9JvMOMlPxazaI8Fb0JZ0pzLS6LnlY5QbA3FesCNoWObKUSsPzL3WuKPoCOwtI8Yd7zdK22pZWWcRvtbKkZuDTLLTtj81vh0oxCpAISs0QQ8CXRNYFto5KkMYZxGIBUPMvq9RDH0RIfXho4HFkdwf0wBCaTt5Vn77HxuYIW%2FGnY0DnAL0DRyQpNW%2BdH9de4QdEugUep8QejdMiQSqb4gWzuOFlKGEtpliV39beLxNCVg%3D%3D>* > > So the question is who is supposed to process request from IdP on it’s way > back to keystone? > > I’m using devstack and configured keystone.conf: > > [auth] > methods = external,password,token,oauth1,mapped > [mapped] > remote_id_attribute = MELLON_IDP > > > ..Sergey Filatov > > > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
