Memcache setup missing in shibboleth2.xml

I didn't know it was possible, good thing! Better than fine tuning the LB parameters IMO.

This patch should do the trick

diff -u shibboleth2.xml.j2 /etc/ansible/roles/os_keystone/templates/shibboleth2.xml.j2
--- shibboleth2.xml.j2 2017-02-09 15:45:07.717558567 +0100
+++ /etc/ansible/roles/os_keystone/templates/shibboleth2.xml.j2 2017-02-09 15:41:05.649798450 +0100
@@ -5,12 +5,34 @@
           xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
           clockSkew="180">

+ <OutOfProcess>
+ <Extensions>
+ <Library path="memcache-store.so" fatal="true"/>
+ </Extensions>
+ </OutOfProcess>
+
+ <StorageService type="MEMCACHE" id="mc" prefix="shibboleth2:">
+ <Hosts>
+ {{ keystone_memcached_servers }}
+ </Hosts>
+ </StorageService>
+
+ <StorageService type="MEMCACHE" id="mc-ctx" prefix="shibboleth2:" buildMap="1">
+ <Hosts>
+ {{ keystone_memcached_servers }}
+ </Hosts>
+ </StorageService>
+
+ <SessionCache type="StorageService" cacheTimeout="{{ horizon_session_timeout }}" StorageService="mc-ctx" StorageServiceLite="mc" />
+ <ReplayCache StorageService="mc"/>
+ <ArtifactMap StorageService="mc" artifactTTL="180"/>
+
     <!-- The entityID is the name by which your IdP will know your SP. -->
     <ApplicationDefaults entityID="{{ keystone_service_publicuri }}/shibboleth">

         <!-- You should use secure cookies if at all possible. See cookieProps in this Wiki article. -->
         <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
- <Sessions lifetime="28800"
+ <Sessions lifetime="{{ horizon_session_timeout }}"
                   timeout="3600"
                   relayState="ss:mem"
                   checkAddress="false"

 {{ keystone_memcached_servers }} does not contain the ip addresses of the memcache servers.. it contains the keytone servers with the memcache port in the end of them...

Is this by design or is it a bug in https://github.com/openstack/openstack-ansible/blob/master/playbooks/inventory/group_vars/keystone_all.yml#L19

Talked to the guys in @IRC and (comment #3) is by design..

So {{ keystone_memcached_servers }} should be replaced by {{ memcached_servers }}

In the Sessions tag, relayState must be changed from "ss:mem" to "ss:mc" to store the relay state in memcache.

This one affected us too, and the proposed fix worked.

Fix proposed to branch: master
Review: https://review.openstack.org/550427

Reviewed: https://review.openstack.org/550427
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_keystone/commit/?id=6f6fe28fc58650b770d52f5f287995ad35f135d0
Submitter: Zuul
Branch: master

commit 6f6fe28fc58650b770d52f5f287995ad35f135d0
Author: Russell Tweed <email address hidden>
Date: Wed Mar 7 10:30:47 2018 +0000

    Add memcache setup to shibboleth2.xml

    Adds memcache session information to /etc/shibboleth/shibboleth2.xml when the
    shibboleth sp is configured.

    Change-Id: I4489b01d0c6741c9390c2f65bbf3650308123a49
    Closes-Bug: 1661197

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/556183

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/556184

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/556185

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/556186

Change abandoned by Tony Breeds (<email address hidden>) on branch: stable/newton
Review: https://review.openstack.org/556186
Reason: This branch (stable/newton) is at End Of Life

This issue was fixed in the openstack/openstack-ansible-os_keystone 18.0.0.0b1 development milestone.

Change abandoned by Jesse Pretorius (odyssey4me) (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/556184

Change abandoned by Jesse Pretorius (odyssey4me) (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/556185

Change abandoned by Jesse Pretorius (odyssey4me) (<email address hidden>) on branch: stable/queens
Review: https://review.openstack.org/556183