THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Page History
...
- Support multiple IdP servers if a federated metadata is provided: https://issues.apache.org/jira/browse/CLOUDSTACK-8458
- Support multiple endpoint bindings such as HTTP-Post: https://issues.apache.org/jira/browse/CLOUDSTACK-8459
- Survey and support standard IdP servers such as Shibboleth 2.4+: https://issues.apache.org/jira/browse/CLOUDSTACK-8460
- Ensure compability as per the saml2int.org standards: https://issues.apache.org/jira/browse/CLOUDSTACK-8461
- Don't depend on NameId for getting unique ID (it could be a non-static one like urn:oasis:names:tc:SAML:2.0:nameid-format:transient), instead depend on an admin specified attribute: https://issues.apache.org/jira/browse/CLOUDSTACK-8463
- Let admin add/import and configure the user, the plugin should only check authorization. In case of multiple allowed SAML users with same username, authenticated user should be allowed to use any of the available account in any domain: https://issues.apache.org/jira/browse/CLOUDSTACK-8462
- Allow admins to save IdP metadata on filesystem or in DB: https://issues.apache.org/jira/browse/CLOUDSTACK-8464
- Improve UI for SAML authentication, currently a button is visible if saml plugin is enabled. We need to have a dropdown list of IdPs in case of multiple IdPs.
- Address any open-ended questions and production usage
- Get some field testing done
- Document the improved plugin usage
...
For testing the plugin, you may use one of publicly available IdP servers such as SSOCircle etc. or download the IDP ova appliance:
http://packages.shapeblue.com/langur/saml/
http://people.apache.org/~bhaisaab/cloudstack/saml/
The IDP appliance has a pre-configured Shibbotleth 2.4.0 server and OpenLDAP.
Login credentials:
username = root
password = password
LDAP admin: admin
LDAP password: password
Hostname: idp.bhaisaab.org
IP: 172.16.154.200
The hostname idp.bhaisaab.org is A record to IP 172.16.154.200, if you need to change the IDPServer appliance IP (say in KVM, VMWare Fusion, VirtualBox), add an entry in your hosts files for idp.bhaisaab.org domain.
LDAP interface: idp.bhaisaab.org/phpldapadmin
Shibboleth IdP Metadata: idp.bhaisaab.org/idp/shibboleth
To test, build CloudStack, deploydb and deploydb-saml. The deploydb-saml will automatically configure ldap and saml auth plugin in CloudStack to use with this appliance.
- Build CloudStack:
mvn clean install -P developer - Deploy Database:
mvn -q -Pdeveloper -pl developer -Ddeploydb
mvn -q -Pdeveloper -pl developer -Ddeploydb-saml - Start management server:
mvn -pl client jetty:run -Djava.net.preferIPv4Stack=true
Log in to CloudStack and check/update global settings by searching for all config settings starting with 'saml'. If you need to change them, restart the management server.
Import users from LDAP or add them manually. Next authorize the user(s) to use SAML SSO against a IdP server by choosing the correct entity ID.
Log out, select an appropriate IdP server from the list of dropdown (in the default case it will be only one, pre-selected) and enter the domain where your account is, the default domain is the ROOT or / domain. Click on SAML SSO button which will redirect you to the IdP log in page, where upon successful authentication you'll be redirected to CloudStack UI with your user account logged in.
There is a strict policy on timestamps and cryptographic token checking using IdP server's public key and SP (CloudStack's) private key, so sometimes upon successful authentication the UI may not get logged in - in this case simply re-login using SAML SSO. By default when the management server starts for the first time, SAML certificates are created and stored in cloud.keystore table. On every SAML SSO attempt, an entry is recorded in CloudStack's cloud.saml_token table to protect against spoofed log-in attempts or an IdP initiated log in where CloudStack won't know in specific domain the user wishes to log in. Using saml_token table, we can know if a user wants to access a specific domain upon successful log in, this is useful in case a user has multiple user account with same "username" across several domains.
Overview
Content Tools
Apps