Highlighted
Contributor
Contributor

Integrated Openstack SAML2 integration

viocli identity configure fails with SAML2 identity provider

We have a planning to use Keycloak IDP to VIO 5.0 federation.

Your web page hasn't any example for mapping rules & attribute mapping files which is needed with 'viocli federation identity-provider add'

https://docs.vmware.com/en/VMware-Integrated-OpenStack/5.0/com.vmware.openstack.admin.doc/GUID-81896...

Are there any workaround jobs or any examples

Thank you

Tags (3)
0 Kudos
3 Replies
Highlighted
Contributor
Contributor

I am having this same issue. We are trying to federate with an ADFS server but have no examples of these mapping files that it is asking for. If you get any resolution, please let us know!

0 Kudos
Highlighted
VMware Employee
VMware Employee

The product documentation has been updated.  If you go to that link again you will see the latest updates.

0 Kudos
Highlighted
Contributor
Contributor

Were you able to get this working? When i follow the new instructions I get the below error on this task: TASK [keystone : configure keystone for additonal domains and groups]

FAILED! => {"changed": false, "failed": true, "module_stderr": "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:860: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\n/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:860: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\nTraceback (most recent call last):\n  File \"/tmp/ansible_9K1pnr/ansible_module_keystone_config.py\", line 565, in <module>\n    main()\n  File \"/tmp/ansible_9K1pnr/ansible_module_keystone_config.py\", line 549, in main\n    **auth)\n  File \"/tmp/ansible_9K1pnr/ansible_module_keystone_config.py\", line 112, in authenticate\n    region_name=region_name)\n  File \"/usr/lib/python2.7/dist-packages/keystoneclient/client.py\", line 62, in Client\n    d = discover.Discover(session=session, **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneclient/discover.py\", line 178, in __init__\n    authenticated=authenticated)\n  File \"/usr/lib/python2.7/dist-packages/keystoneclient/_discover.py\", line 143, in __init__\n    authenticated=authenticated)\n  File \"/usr/lib/python2.7/dist-packages/keystoneclient/_discover.py\", line 38, in get_version_data\n    resp = session.get(url, headers=headers, authenticated=authenticated)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 840, in get\n    return self.request(url, 'GET', **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 573, in request\n    auth_headers = self.get_auth_headers(auth)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 900, in get_auth_headers\n    return auth.get_headers(self, **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/plugin.py\", line 95, in get_headers\n    token = self.get_token(session)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/identity/base.py\", line 88, in get_token\n    return self.get_access(session).auth_token\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/identity/base.py\", line 134, in get_access\n    self.auth_ref = self.get_auth_ref(session)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/identity/generic/base.py\", line 201, in get_auth_ref\n    return self._plugin.get_auth_ref(session, **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/identity/v3/base.py\", line 177, in get_auth_ref\n    authenticated=False, log=False, **rkwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 848, in post\n    return self.request(url, 'POST', **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 737, in request\n    raise exceptions.from_response(resp, method, url)\nkeystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-82ddf38d-427a-48d6-b37f-fd720d4b843b)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}

I am having the domain mapped to the current Default domain which is already setup with admin accounts and roles. I don't want to have a second domain unless its required for federation?

Anyone else run into this?

Thank you!

0 Kudos