Open Stack

Hi,


Just to send a signal, that I'm still working on this (with best effort).


What I could figure out in the last some months, is that we need a "verify=False" parameter in the session.post of send_identity_provider_authn_request (in saml2_client.py) to be able to connect to the IdP using self signed certificates.


Now I'm able to communicate with the IdP and I can see, that there is a problem with the IdP config.

This is the log of Shibboleth:

2019-01-07 11:33:55,165 - WARN [net.shibboleth.idp.profile.impl.SelectProfileConfiguration:111] - Profile Action SelectProfileConfiguration: Profile http://shibboleth.net/ns/profiles/saml2/sso/ecp is not available for RP configuration shibboleth.UnverifiedRelyingParty (RPID http://127.0.0.1/shibboleth)
2019-01-07 11:33:55,167 - WARN [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event occurred while processing the request: InvalidProfileConfiguration

I keep debugging this and update you about the results.


Would it help if I would push all modified things to GitHub with a description how am I doing the configuration?



Br,

Gerg0


________________________________
From: Csatari, Gergely (Nokia - HU/Budapest)
Sent: Saturday, September 15, 2018 12:36 AM
To: nick at stackhpc.com; knikolla at bu.edu; colleen at gazlene.net; mbuil at suse.com; edge-computing at lists.openstack.org
Subject: Re: Status of Keystone federation testing with tempest


Hi,


Some update on the open issues:

- Make this work 😉: Okay, I realized, that I use the wrong certificate in the Idp. Based on the IdP-s description I should generate a p12 certificate using the certificate and the key used by the Shibboleth Sp. When I try to generate the certificate I get a strange error:

openssl pkcs12 -inkey /etc/shibboleth/sp-key.pem -in /etc/shibboleth/sp-cert.pem -out ../keystone-shibboleth-idp-dockerized/shibboleth-idp/credentials/idp-browser.p12

139822780584384:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129:
139822780584384:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:289:Type=PKCS12

Google tells me that this is becouse one of my pem files are in the wrong format. This is really strange as the error persist even after I regenerated these files with

shib-keygen -f -y 1

   - Figure out how to start a Container in a Keystone plugin or a tempest plugin - no progress on this
   - Figure out ow to integrate with CI - no progress on this
   - Figure out how to use static certificates and keys, so the same IdP container image can be used.

If you are bigger fans of IRC than email I can start sending these updates to the keystone channel.

Br,
Gerg0



________________________________
From: Csatari, Gergely (Nokia - HU/Budapest)
Sent: Wednesday, September 12, 2018 11:25:32 PM
To: nick at stackhpc.com; knikolla at bu.edu; colleen at gazlene.net; mbuil at suse.com; edge-computing at lists.openstack.org
Subject: Re: Status of Keystone federation testing with tempest


Hi,


Some update on the open issues.

   - Make this work 😉 - here I have some progress, however I can not explain why. Now keystone is able to reach Shibboleth and Shibboleth answers with FatalProfileException "A valid authentication statement was not found in the incoming message.". I continue to figure out what is the problem.
   - Set the idp address in the correct place - This is done thanks to gmann.
   - Figure out how to start a Container in a Keystone plugin or a tempest plugin - Here I try to use https://github.com/openstack/devstack-plugin-container however I'm not sure if this is the right tool to start containers in DevStack environment.
   - Figure out ow to integrate with CI - no progress on this

I'm still happy get any help either in mail, IRC or in person on the PTG.

Thanks,
Gerg0





________________________________
From: Csatari, Gergely (Nokia - HU/Budapest)
Sent: Friday, August 31, 2018 1:03:43 PM
To: nick at stackhpc.com; knikolla at bu.edu; colleen at gazlene.net; mbuil at suse.com; edge-computing at lists.openstack.org
Subject: Status of Keystone federation testing with tempest


Hi,


I'm working on this for a while, but as I am not a big expert of IdP, Keysone or Tempest I have a bit slow progress. I decided to share what I did and what are my current probelms to 1) inform the team about the progress 2) keep a record for myself 3) hoping for help and/or hints.


So I did this:

1) Get an Ubuntu

2) Install devstack with

enable_plugin keystone git://git.openstack.org/openstack/keystone
enable_service keystone-saml2-federation
Here I already ran into some package maangement issues due to some libcurl3 and libcurl4 incompatibility issue what I solved using https://launchpad.net/~xapienz/+archive/ubuntu/curl34

3) Install the Keystone tempest plugin

4) Build a Shibboleth IdP container based on https://github.com/Unicon/shibboleth-idp-dockerized with the configuration I believe is correct. I have a feeling that we will need to set a proper organisation for this if we want to publish this to Docker Hub. By the way is there a container registry maintained in the OpenStack development infra?

5) Run the container and expose 8080, 4443 and 8443 ports

This is a half success. Shibboleth contacts Keystone (or actually the Shibboleth apache module) for metadata update, but it works only on the first attempt. The regular updates are not working for some reason.

Also I was not able to get a positive answer from the status script of Shibboleth itself, so i just decided to move a bit forward.

6) Set idp_url to https://localhost:8080/idp/profile/SAML2/SOAP/ECP in _request_unscoped_token inside the Keystone tempest plugin. Here I have no idea where the configuration is actually stores and where should I set this in a nice way.

7) Run the tempest tests. Now here I get an error message which tells me about SSL version numbers (hands.hake: Error([('SSL routines', 'ssl3_get_record', 'wrong version number')],)",),))). I tried to use different ssl versions with Curl, but it complains about the lack of support in libsso.


So here I am now.


Things what I deffinetly should figure out:

   - Make this work 😉

   - Set the idp address in the correct place

   - Figure out how to start a Container in a Keystone plugin or a tempest plugin

   - Figure out ow to integrate with CI


Any comments are welcome.

Br,
Gerg0

Curl 3 and 4 : Evgeny Brazgin - launchpad.net<https://launchpad.net/~xapienz/+archive/ubuntu/curl34>
launchpad.net
PPA contains libcurl4 package, which supports both libcurl3 and libcurl4 API.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/edge-computing/attachments/20190107/c4fa8313/attachment-0001.html>