If you’re using SAML 2.0 Enhanced Client or Proxy (ECP) with OpenStack Keystone, it may not be obvious how to use the mainstream OpenStack client to authenticate. The example RC file below will hopefully shed some light on how to get started. Comments/questions are welcome!
If you get an error such as “Missing value identity-provider-url required for auth plugin v3samlpassword” or if you do not see “v3samlpassword” listed in “–os-auth-type” when running “openstack –help”, you need to install “lxml” into your available Python packages. You can do this using a package manager or using “pip install lxml”.
<pre style='color:#000000;background:#ffffff;'><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_AUTH_URL</span><span style='color:#808030; '>=</span>https<span style='color:#808030; '>:</span><span style='color:#40015a; '>/</span><span style='color:#40015a; '>/cloud.example.org</span><span style='color:#808030; '>:</span><span style='color:#008c00; '>13000</span><span style='color:#40015a; '>/v3</span><!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_REGION_NAME</span><span style='color:#808030; '>=</span>RegionOne<!-- [et_pb_line_break_holder] --> <!-- [et_pb_line_break_holder] --><span style='color:#696969; '># Endpoint information</span><!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_IDENTITY_API_VERSION</span><span style='color:#808030; '>=</span><span style='color:#008c00; '>3</span><!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_INTERFACE</span><span style='color:#808030; '>=</span>public<!-- [et_pb_line_break_holder] --> <!-- [et_pb_line_break_holder] --><span style='color:#696969; '># Credentials</span><!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_PASSWORD</span><span style='color:#808030; '>=</span>__MYPASSWORD__<!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_USERNAME</span><span style='color:#808030; '>=</span>__MYUSERNAME__<!-- [et_pb_line_break_holder] --> <!-- [et_pb_line_break_holder] --><span style='color:#696969; '># OpenStack domain/project information</span><!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_PROJECT_DOMAIN_NAME</span><span style='color:#808030; '>=</span>__MYDOMAIN__<!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_PROJECT_NAME</span><span style='color:#808030; '>=</span>__MYPROJECT__<!-- [et_pb_line_break_holder] --> <!-- [et_pb_line_break_holder] --><span style='color:#696969; '>##</span><!-- [et_pb_line_break_holder] --><span style='color:#696969; '># SAML 2.0 ECP information</span><!-- [et_pb_line_break_holder] --><span style='color:#696969; '>##</span><!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_AUTH_TYPE</span><span style='color:#808030; '>=</span>v3samlpassword<!-- [et_pb_line_break_holder] --><!-- [et_pb_line_break_holder] --><span style='color:#696969; '># Federation Identity Provider (IdP) can be found using the following:</span><!-- [et_pb_line_break_holder] --><span style='color:#696969; '># openstack identity provider list</span><!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_IDENTITY_PROVIDER</span><span style='color:#808030; '>=</span>__MYIDP__<!-- [et_pb_line_break_holder] --><!-- [et_pb_line_break_holder] --><span style='color:#696969; '># Federation protocol can be found using the following:</span><!-- [et_pb_line_break_holder] --><span style='color:#696969; '># openstack federation protocol list --identity-provider "__MYIDP__"</span><!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_PROTOCOL</span><span style='color:#808030; '>=</span>__MYPROTOCOL__<!-- [et_pb_line_break_holder] --><!-- [et_pb_line_break_holder] --><span style='color:#696969; '># Example SimpleSAMLphp AssertionConsumerService (ACS) endpoint</span><!-- [et_pb_line_break_holder] --><span style='color:#bb7977; font-weight:bold; '>export</span> <span style='color:#797997; '>OS_IDENTITY_PROVIDER_URL</span><span style='color:#808030; '>=</span>https<span style='color:#808030; '>:</span><span style='color:#40015a; '>/</span><span style='color:#40015a; '>/example.org/idp/saml2/idp/SSOService.php</span><!-- [et_pb_line_break_holder] --></pre>