yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1793845] [NEW] Federation Protocol saml2 fails on Rocky

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Michael Rice <michael@xxxxxxxxxxxxxxx>
Date: Sat, 22 Sep 2018 04:18:07 -0000
Reply-to: Bug 1793845 <1793845@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In previous releases when setting up federation one could do the
following:

openstack federation protocol create saml2 --mapping mymapping
--identity-provider myidp

Then in the keystone.conf you could add:

[auth]
methods = password,token,saml2
saml2 = keystone.auth.plugins.mapped.Mapped


That is not the case on Rocky. This will give you a 500 with the following error:
stevedore.named [-] Could not load keystone.auth.plugins.mapped.Mapped

To work around this issue I had to delete my mapping called "saml2",
remake it naming it "mapped" then update horizon, and apache configs
accordingly. Then in the keystone.conf file I had to remove the
"methods" line and the "saml2" line. Once I restarted apache then
Federation worked as expected.

Im not sure if this is a bug or if the way I was doing it before was
hanging around as legacy from when "saml2" had been removed but I
couldnt find anything release notes wise about the change, and the docs
examples still reference "saml2"...

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1793845

Title:
  Federation Protocol saml2 fails on Rocky

Status in OpenStack Identity (keystone):
  New

Bug description:
  In previous releases when setting up federation one could do the
  following:

  openstack federation protocol create saml2 --mapping mymapping
  --identity-provider myidp

  Then in the keystone.conf you could add:

  [auth]
  methods = password,token,saml2
  saml2 = keystone.auth.plugins.mapped.Mapped

  
  That is not the case on Rocky. This will give you a 500 with the following error:
  stevedore.named [-] Could not load keystone.auth.plugins.mapped.Mapped

  To work around this issue I had to delete my mapping called "saml2",
  remake it naming it "mapped" then update horizon, and apache configs
  accordingly. Then in the keystone.conf file I had to remove the
  "methods" line and the "saml2" line. Once I restarted apache then
  Federation worked as expected.

  Im not sure if this is a bug or if the way I was doing it before was
  hanging around as legacy from when "saml2" had been removed but I
  couldnt find anything release notes wise about the change, and the
  docs examples still reference "saml2"...

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1793845/+subscriptions