[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[keystone] adfs SingleSignOn with CLI/API?


thanks for the fast answers.

I asked our ADFS Administrators if they could provide some logs to see 
whats going wrong, but they are unable to deliver these.

So I installed keycloak and switched to OpenID Connect.

Im (again) able to connect via Horizon SSO, but when I try to use 
v3oidcpassword in the CLI Im running into

I already added the suggested --os-client-secret without luck.
Updating to latest python-versions..

pip install -U python-keystoneclient
pip install -U python-openstackclient

didnt change anything.

Any ideas what to try next?


Seems like!topic/mod_auth_openidc/qGE1DGQCTMY

is right. I had to change the RedirectURI to geht OpenIDConnect working 
with Keystone. The sample config of

is *not working for me*


Am 11.02.19 um 17:18 schrieb Colleen Murphy:
> Forwarding back to list
> On Mon, Feb 11, 2019, at 5:11 PM, Blake Covarrubias wrote:
>>> On Feb 11, 2019, at 6:19 AM, Colleen Murphy <colleen at> wrote:
>>> Hi Fabian,
>>> On Mon, Feb 11, 2019, at 12:58 PM, Fabian Zimmermann wrote:
>>>> Hi,
>>>> Im currently trying to implement some way to do a SSO against our
>>>> ActiveDirectory. I already tried SAMLv2 and OpenID Connect.
>>>> Im able to sign in via Horizon, but im unable to find a working way on cli.
>>>> Already tried v3adfspassword and v3oidcpassword, but im unable to get
>>>> them working.
>>>> Any hints / links / docs where to find more information?
>>>> Anyone using this kind of setup and willing to share KnowHow?
>>>> Thanks a lot,
>>>> Fabian Zimmermann
>>> We have an example of authenticating with the CLI here:
>>> That only covers the regular SAML2.0 ECP type of authentication, which I guess won't work with ADFS, and we seem to have zero ADFS-specific documentation.
>>>  From the keystoneauth plugin code, it looks like you need to set identity-provider-url, service-provider-endpoint, service-provider-entity-id, username, password, identity-provider, and protocol (I'm getting that from the loader classes[1][2]). Is that the information you're looking for, or can you give more details on what specifically isn't working?
>>> Colleen
>>> [1]
>>> [2]
>> Fabian,
>> To add a bit more info, the AD FS plugin essentially uses IdP-initiated
>> sign-on. The identity provider URL is where the initial authentication
>> request to AD FS will be sent. An example of this would be
>> https://HOSTNAME/adfs/services/trust/13/usernamemixed
>> <https://hostname/adfs/services/trust/13/usernamemixed>. The service
>> providerâ??s entity ID must also be sent in the request so that AD FS
>> knows which Relying Party Trust to associate with the request.
>> AD FS will provide a SAML assertion upon successful authentication. The
>> service provider endpoint is the URL of the Assertion Consumer Service.
>> If youâ??re using Shibboleth on the SP, this would be
>> https://HOSTNAME/Shibboleth.sso/ADFS
>> <https://hostname/Shibboleth.sso/ADFS>.
>> Note: The service-provider-entity-id can be omitted if it is the same
>> value as the service-provider-endpoint (or Assertion Consumer Service
>> URL).
>> Hope this helps.
>> â??
>> Blake Covarrubias