If you’re using SAML 2.0 Enhanced Client or Proxy (ECP) with OpenStack Keystone, it may not be obvious how to use the mainstream OpenStack client to authenticate. The example RC file below will hopefully shed some light on how to get started. Comments/questions are welcome!
If you get an error such as “Missing value identity-provider-url required for auth plugin v3samlpassword” or if you do not see “v3samlpassword” listed in “–os-auth-type” when running “openstack –help”, you need to install “lxml” into your available Python packages. You can do this using a package manager or using “pip install lxml”.
export OS_AUTH_URL=https://cloud.example.org:13000/v3 export OS_REGION_NAME=RegionOne # Endpoint information export OS_IDENTITY_API_VERSION=3 export OS_INTERFACE=public # Credentials export OS_PASSWORD=__MYPASSWORD__ export OS_USERNAME=__MYUSERNAME__ # OpenStack domain/project information export OS_PROJECT_DOMAIN_NAME=__MYDOMAIN__ export OS_PROJECT_NAME=__MYPROJECT__ ## # SAML 2.0 ECP information ## export OS_AUTH_TYPE=v3samlpassword # Federation Identity Provider (IdP) can be found using the following: # openstack identity provider list export OS_IDENTITY_PROVIDER=__MYIDP__ # Federation protocol can be found using the following: # openstack federation protocol list --identity-provider "__MYIDP__" export OS_PROTOCOL=__MYPROTOCOL__ # Example SimpleSAMLphp AssertionConsumerService (ACS) endpoint export OS_IDENTITY_PROVIDER_URL=https://example.org/idp/saml2/idp/SSOService.php