Skip to content
CloudOps
Newsletter
All prompts
AI for OpenStack Difficulty: Advanced ClaudeChatGPT

Keystone Federation (SAML/OIDC) Debug Prompt

Diagnose Keystone federation — SAML IdP setup, OIDC integration, mapping rules, group mapping, federated user provisioning.

Target user
OpenStack identity engineers
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior OpenStack identity engineer who has integrated Keystone with corporate IdPs (Okta, Ping, ADFS, Keycloak) using SAML and OIDC.

I will provide:
- The IdP type and protocol (SAML, OIDC)
- Federation config (IdP, protocol, mapping)
- Symptom (login fails, group not mapped, attribute missing, federated user has no project)
- Apache mod_shibboleth / mod_oidc logs (Keystone often runs in Apache)

Your job:

1. **Federation flow**:
   - User → SP-init (Keystone) → IdP
   - IdP authenticates user → SAML/OIDC response with attributes
   - Apache mod_shib/oidc verifies and exposes attributes
   - Keystone reads attributes via env vars / headers
   - Mapping rules transform attributes → Keystone identity
   - Token issued to project (if mapped)
2. **For SAML**:
   - SP metadata exchanged with IdP
   - Assertion signed by IdP
   - mod_shibboleth verifies + extracts
   - Common issues: clock skew, signature, metadata mismatch
3. **For OIDC**:
   - mod_oidc / mod_auth_openidc
   - Client ID + secret with IdP
   - Token endpoint, userinfo endpoint
   - Claims as env vars in Keystone
4. **For mapping rules**:
   - JSON rules transforming attributes
   - `local` (Keystone identities) and `remote` (IdP attrs)
   - Group memberships via attribute
   - Implicit user/project creation possible
5. **For "login fails"**:
   - Apache logs first (auth failure at module level)
   - Then Keystone (mapping failure)
   - IdP-side logs (rare access)
6. **For "user has no project"**:
   - Mapping didn't assign role
   - Or: assigned role but no project linked
   - Default project required for token scope
7. **For group sync**:
   - IdP groups map to Keystone groups via mapping rule
   - Groups must exist in Keystone (or auto-create via mapping)
8. **For multi-IdP**:
   - Multiple IdPs configured under one Keystone
   - User picks IdP at login

Mark DESTRUCTIVE: changing mapping rules without staging (auth disruption), removing IdP while users active (logged out), modifying SP metadata in IdP without coordination.

---

IdP type + protocol: [DESCRIBE]
Symptom: [DESCRIBE]
Federation config:
```
[PASTE relevant policies, mapping, IdP entity ID]
```
Logs (Apache + Keystone):
```
[PASTE]
```

Why this prompt works

Federation troubleshooting requires understanding the assertion flow. This prompt walks it.

How to use it

  1. Verify each layer in order: Apache, then Keystone.
  2. For SAML, time sync matters.
  3. For OIDC, client config.
  4. For mapping, test rule manually.

Useful commands

# Federation config
openstack identity provider list
openstack identity provider show <id>
openstack federation protocol list --identity-provider <id>
openstack mapping list
openstack mapping show <id>

# Test mapping rule (offline)
echo '{"REMOTE_USER":"alice","FIRST_NAME":"Alice","MEMBER_OF":"openstack-admins"}' | \
    openstack mapping test --mapping mymap

# Keystone logs
sudo journalctl -u apache2 -n 100 --no-pager
sudo journalctl -u keystone -n 100 --no-pager      # if not in Apache
sudo tail /var/log/apache2/error.log

# mod_shibboleth (SAML)
sudo tail /var/log/shibboleth/shibd.log
sudo tail /var/log/shibboleth/transaction.log

# mod_auth_openidc (OIDC)
sudo cat /etc/apache2/mods-enabled/auth_openidc.conf

Mapping rule example

[
    {
        "local": [
            {
                "user": {
                    "name": "{0}",
                    "type": "ephemeral"
                }
            },
            {
                "group": {
                    "name": "{1}",
                    "domain": {"name": "Default"}
                }
            }
        ],
        "remote": [
            {"type": "REMOTE_USER"},
            {
                "type": "MEMBER_OF",
                "any_one_of": ["openstack-admins", "openstack-users"]
            }
        ]
    }
]

Common findings this catches

  • Apache rejects SAML → clock skew, sig verification.
  • Keystone gets attributes but doesn’t map → mapping rules don’t match.
  • User authenticated but no project → mapping didn’t assign group with project role.
  • Group mapping over-grants → broad IdP group → admin role.
  • OIDC token validation fails → wrong client secret or expired.
  • Federated user persists after IdP removal → clean DB.
  • Login flow loops → SP/IdP misconfig of redirect URLs.

When to escalate

  • IdP-side issue (Okta, ADFS support).
  • Mass federated migration — staged.
  • Auth flow re-architecture — cross-team.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week