If you’re using SAML 2.0 Enhanced Client or Proxy (ECP) with OpenStack Keystone, it may not be obvious how to use the mainstream OpenStack client to authenticate. The example RC file below will hopefully shed some light on how to get started. Comments/questions are welcome!

If you get an error such as “Missing value identity-provider-url required for auth plugin v3samlpassword” or if you do not see “v3samlpassword” listed in “–os-auth-type” when running “openstack –help”, you need to install “lxml” into your available Python packages. You can do this using a package manager or using “pip install lxml”.

export OS_AUTH_URL=https://cloud.example.org:13000/v3
export OS_REGION_NAME=RegionOne
 
# Endpoint information
export OS_IDENTITY_API_VERSION=3
export OS_INTERFACE=public
 
# Credentials
export OS_PASSWORD=__MYPASSWORD__
export OS_USERNAME=__MYUSERNAME__
 
# OpenStack domain/project information
export OS_PROJECT_DOMAIN_NAME=__MYDOMAIN__
export OS_PROJECT_NAME=__MYPROJECT__
 
##
# SAML 2.0 ECP information
##
export OS_AUTH_TYPE=v3samlpassword

# Federation Identity Provider (IdP) can be found using the following:
# openstack identity provider list
export OS_IDENTITY_PROVIDER=__MYIDP__

# Federation protocol can be found using the following:
# openstack federation protocol list --identity-provider "__MYIDP__"
export OS_PROTOCOL=__MYPROTOCOL__

# Example SimpleSAMLphp AssertionConsumerService (ACS) endpoint
export OS_IDENTITY_PROVIDER_URL=https://example.org/idp/saml2/idp/SSOService.php

Pin It on Pinterest

Share This