3 Replies Latest reply on Jun 27, 2019 6:44 AM by jet1981

    Integrated Openstack SAML2 integration

    Kassav06 Lurker

      viocli identity configure fails with SAML2 identity provider

       

      We have a planning to use Keycloak IDP to VIO 5.0 federation.

      Your web page hasn't any example for mapping rules & attribute mapping files which is needed with 'viocli federation identity-provider add'

      https://docs.vmware.com/en/VMware-Integrated-OpenStack/5.0/com.vmware.openstack.admin.doc/GUID-8189630B-5985-4428-B1A8-ECA686FA7346.html

      Are there any workaround jobs or any examples

       

      Thank you

        • 1. Re: Integrated Openstack SAML2 integration
          jet1981 Novice

          I am having this same issue. We are trying to federate with an ADFS server but have no examples of these mapping files that it is asking for. If you get any resolution, please let us know!

          • 2. Re: Integrated Openstack SAML2 integration
            rpellet Enthusiast
            VMware Employees

            The product documentation has been updated.  If you go to that link again you will see the latest updates.

            • 3. Re: Integrated Openstack SAML2 integration
              jet1981 Novice

              Were you able to get this working? When i follow the new instructions I get the below error on this task: TASK [keystone : configure keystone for additonal domains and groups]

               

              FAILED! => {"changed": false, "failed": true, "module_stderr": "/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:860: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\n/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:860: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings\n  InsecureRequestWarning)\nTraceback (most recent call last):\n  File \"/tmp/ansible_9K1pnr/ansible_module_keystone_config.py\", line 565, in <module>\n    main()\n  File \"/tmp/ansible_9K1pnr/ansible_module_keystone_config.py\", line 549, in main\n    **auth)\n  File \"/tmp/ansible_9K1pnr/ansible_module_keystone_config.py\", line 112, in authenticate\n    region_name=region_name)\n  File \"/usr/lib/python2.7/dist-packages/keystoneclient/client.py\", line 62, in Client\n    d = discover.Discover(session=session, **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneclient/discover.py\", line 178, in __init__\n    authenticated=authenticated)\n  File \"/usr/lib/python2.7/dist-packages/keystoneclient/_discover.py\", line 143, in __init__\n    authenticated=authenticated)\n  File \"/usr/lib/python2.7/dist-packages/keystoneclient/_discover.py\", line 38, in get_version_data\n    resp = session.get(url, headers=headers, authenticated=authenticated)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 840, in get\n    return self.request(url, 'GET', **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 573, in request\n    auth_headers = self.get_auth_headers(auth)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 900, in get_auth_headers\n    return auth.get_headers(self, **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/plugin.py\", line 95, in get_headers\n    token = self.get_token(session)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/identity/base.py\", line 88, in get_token\n    return self.get_access(session).auth_token\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/identity/base.py\", line 134, in get_access\n    self.auth_ref = self.get_auth_ref(session)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/identity/generic/base.py\", line 201, in get_auth_ref\n    return self._plugin.get_auth_ref(session, **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/identity/v3/base.py\", line 177, in get_auth_ref\n    authenticated=False, log=False, **rkwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 848, in post\n    return self.request(url, 'POST', **kwargs)\n  File \"/usr/lib/python2.7/dist-packages/keystoneauth1/session.py\", line 737, in request\n    raise exceptions.from_response(resp, method, url)\nkeystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-82ddf38d-427a-48d6-b37f-fd720d4b843b)\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}

               

              I am having the domain mapped to the current Default domain which is already setup with admin accounts and roles. I don't want to have a second domain unless its required for federation?

               

              Anyone else run into this?

               

              Thank you!