Issues with Shibboleth SP Configuration for Keystone Federation

Question

I am currently facing issues with setting up Shibboleth SP to work with a Keystone federation environment -- devstack installation. Despite following several guides and attempting multiple configurations, I encounter a persistent error that prevents successful authentication.

Environment Details:

• Service Provider (SP): Configured on a local VM, supposed to interface with devstack's services (Keystone, Horizon, etc.).
• Identity Provider (IdP): Hosted separately on Google Cloud Platform (GCP) and is accessible.

Resources Followed:

• Demystifying Keystone Federation
• Keystone official docs
• IDEM Shibboleth SP v3.x Installation Guide

Issue: Whenever I attempt to authenticate via SAML2 from the Horizon interface to the Shibboleth IdP, the IdP fails to recognize the SP's request, specifically pointing out issues with the AssertionConsumerServiceURL. It seems to incorrectly reference 192.168.4.100 (local IP of the devstack machine) instead of the expected sp.keystone.demo.

Steps Tried:

• Regenerated and updated the SP metadata.

• Ensured that AssertionConsumerServiceURL (ACS-URL) in SP metadata matches those expected by the IdP.

• Checked and refreshed IdP configuration to ensure it's using the latest SP metadata. Reviewed logs for both SP and IdP but didn’t find clear guidance on resolving the mismatch.

• I've also read through numerous posts and tried suggested configurations and troubleshooting steps, but none resolved the issue.

• Using SAML-Tracker tool, I found the following:

  1. GET http://192.168.4.100/identity/v3/auth/OS-FEDERATION/identity_providers/demoidp/protocols/saml2/websso?origin=http://sp.keystone.demo/dashboard/auth/websso/

  2. on idp server, it gets the following:

• I am pretty sure that the ACS-URLs of the SP-metadata refer to sp.keystone.demo not to 192.168.4.100

• below is the idp response:

• I would to include the /etc/apach2/sites-available/keystone-wsgi-public.conf file to give full picture of what I accomplished. for sake of space, I prefer to describe it better:

  • Initially, the file had only one line: ProxyPass "/identity" "unix:/var/run/uwsgi/keystone-wsgi-public.socket|uwsgi://uwsgi-uds-keystone-wsgi-public" retry=0 acquire=1
  • I then added <Location /Shibboleth.sso>, <Location /identity/...> directives.
  • all NOT included within a <VirtualHost> tag.

the problem is why does the ACS-URL convert from sp.keystone.demo to 192.168.4.100?