[keystone] adfs SingleSignOn with CLI/API?
thanks for the fast answers.
I asked our ADFS Administrators if they could provide some logs to see
whats going wrong, but they are unable to deliver these.
So I installed keycloak and switched to OpenID Connect.
Im (again) able to connect via Horizon SSO, but when I try to use
v3oidcpassword in the CLI Im running into
I already added the suggested --os-client-secret without luck.
Updating to latest python-versions..
pip install -U python-keystoneclient
pip install -U python-openstackclient
didnt change anything.
Any ideas what to try next?
is right. I had to change the RedirectURI to geht OpenIDConnect working
with Keystone. The sample config of
is *not working for me*
Am 11.02.19 um 17:18 schrieb Colleen Murphy:
> Forwarding back to list
> On Mon, Feb 11, 2019, at 5:11 PM, Blake Covarrubias wrote:
>>> On Feb 11, 2019, at 6:19 AM, Colleen Murphy <colleen at gazlene.net> wrote:
>>> Hi Fabian,
>>> On Mon, Feb 11, 2019, at 12:58 PM, Fabian Zimmermann wrote:
>>>> Im currently trying to implement some way to do a SSO against our
>>>> ActiveDirectory. I already tried SAMLv2 and OpenID Connect.
>>>> Im able to sign in via Horizon, but im unable to find a working way on cli.
>>>> Already tried v3adfspassword and v3oidcpassword, but im unable to get
>>>> them working.
>>>> Any hints / links / docs where to find more information?
>>>> Anyone using this kind of setup and willing to share KnowHow?
>>>> Thanks a lot,
>>>> Fabian Zimmermann
>>> We have an example of authenticating with the CLI here:
>>> That only covers the regular SAML2.0 ECP type of authentication, which I guess won't work with ADFS, and we seem to have zero ADFS-specific documentation.
>>> From the keystoneauth plugin code, it looks like you need to set identity-provider-url, service-provider-endpoint, service-provider-entity-id, username, password, identity-provider, and protocol (I'm getting that from the loader classes). Is that the information you're looking for, or can you give more details on what specifically isn't working?
>>>  http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/loading/identity.py#n104
>>>  http://git.openstack.org/cgit/openstack/keystoneauth/tree/keystoneauth1/extras/_saml2/_loading.py#n45
>> To add a bit more info, the AD FS plugin essentially uses IdP-initiated
>> sign-on. The identity provider URL is where the initial authentication
>> request to AD FS will be sent. An example of this would be
>> <https://hostname/adfs/services/trust/13/usernamemixed>. The service
>> providerâ??s entity ID must also be sent in the request so that AD FS
>> knows which Relying Party Trust to associate with the request.
>> AD FS will provide a SAML assertion upon successful authentication. The
>> service provider endpoint is the URL of the Assertion Consumer Service.
>> If youâ??re using Shibboleth on the SP, this would be
>> Note: The service-provider-entity-id can be omitted if it is the same
>> value as the service-provider-endpoint (or Assertion Consumer Service
>> Hope this helps.
>> Blake Covarrubias