You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

NOTE: This is a work in progress design document draft for SAML plugin.

Bug Reference

https://issues.apache.org/jira/browse/CLOUDSTACK-7083

Branch

To start: saml2

Introduction

Purpose

Currently CloudStack has its own authentication mechanism, the two of which methods include username/password auth which is cookie/session-key based and another which is HMAC signature based that uses api key and secret key.

Many organization would want to use their existing authentication mechanism and have Single Sign On (SSO) and Single Log Out (SLO) to work on CloudStack UI and clients. SAML (Security Assertion Markup Language) 2.0 is an old, stable and widely used XML based authentication and authorization protocol supported by Salesforce, Google Apps and other public and private companies and the aim is to integrate the SSO SAML support in CloudStack.

This feature will be useful for users who may want to re-use their existing SAML 2.0 IdP (Identity Provider) service which holds the responsibility of users management, authentication & authorization assertions. In SAML terminology, CloudStack is a Service Provider (SP) that means it's the service that users would want to access and the organization would have their own Identity Provider (IdP) which is an authentication and authorization service backed by a user listing/store such as LDAP, AD etc.

For the scope of implementation and integration of the SAML plugin, we will skip the details related to IdP implementation. 

Implementation Consideration

I evaluated many opensource libraries which implement the SAML protocol and the most widely used stable library was OpenSAML. Instead of using OpenSAML directly, I'll be using Spring security SAML extension which nicely fits with our existing spring usage and provides a higher abstraction when dealing with SAML 2.0 authentication and authorization workflows. It is also widely used in production by large integraor such as CSC, Tieto; IAM vendors such as Novell, RSA, government and other companies.

Testing Consideration

For testing the plugin with CloudStack, we only need an IdP which can be setup locally using Shibboleth IdP software (https://www.testshib.org), or simply using one of the following free to use public IdP (discovery) service:

References

SAML for dummies: https://blog.surfnet.nl/?p=1417

SAML 2.0 on wikipedia: http://en.wikipedia.org/wiki/SAML_2.0

Spring security SAML extension docs: http://docs.spring.io/spring-security-saml/docs/1.0.x/reference/html/index.html

OpenSAML homepage: https://wiki.shibboleth.net/confluence/display/OpenSAML/Home

CloudStack SSO talk by John Burwell: youtube.com/watch?v=kCR0TzrfCOM

Implementing secure SSO with OpenSAML: youtube.com/watch?v=KroIZa1co6g

Working SAML example based on Spring security SAML ext: https://saml-federation.appspot.com/index.jsp

Document History

Glossary

TermDefinition
AssertionA part of SAML message (an XML document) which provides facts about subject of the assertion (typically about the authenticated user). Assertions can contain information about authentication, associated attributes or authorization decisions.
ArtifactIdentifier which can be used to retrieve a complete SAML message from identity or service provider using a back-channel binding.
BindingMechanism used to deliver SAML message. Bindings are divided to front-channel bindings which use web-browser of the user for message delivery (e.g. HTTP-POST or HTTP-Redirect) and back-channel bindings where identity provider and service provider communicate directly (e.g. using SOAP calls in Artifact binding).
DiscoveryMechanism used to determine which identity provider should be used to authenticate user currently interacting with the service provider.
MetadataDocument describing one or multiple identity and service providers. Metadata typically includes entity identifier, public keys, endopoint URLs, supported bindings and profiles, and other capabilities or requirements. Exchange of metadata between identity and service providers is typically the first step for establishment of federation.
ProfileStandardized combination of protocols, assertions, bindings and processing instructions used to achieve a particular use-case such as single sign-on, single logout, discovery, artifact resolution.
ProtocolDefinition of format (schema) for SAML messages used to achieve particular functionality such as requesting authentication from IDP, performing single logout or requesting attributes from IDP.
Identity provider (IDP)Entity which knows how to authenticate users and provides information about their identity to service providers/relaying parties using federation protocols.
Service provider (SP)Your application which communicates with the identity provider in order to obtain information about the user it interacts with. User information such as authentication state and user attributes is provided in form of security assertions.
Single Sign-On (SSO)Process enabling access to multiple web sites without need to repeatedly present credentials necessary for authentication. Various federation protocols such as SAML, WS-Federation, OpenID or OAuth can be used to achieve SSO use-cases. Information such as means of authentication, user attributes, authorization decisions or security tokens are typically provided to the service provider as part of single sign-on.
Single Logout (SLO)Process terminating authenticated sessions at all resources which were accessed using single sign-on. Techniques such as redirecting user to each of the SSO participants or sending a logout SOAP messages are typically used.

Feature Specifications

  • With this feature a user in an organization having a SAML 2.0 compliant IdP would be able to do:

    • Single Sign On initiated by SP (CloudStack)
    • Single Local Logout (Logging out CloudStack only)
    • Single Global Logout (Logging out CloudStack and other SPs)
  • Scope: 
    • Transport: We will only support SAML transport over HTTP, which means supporting:
      • HTTP POST
      • HTTP Redirects
    • Clients:
      • CloudStack UI will be fully supported
      • cloudmonkey and other command line clients may not handle HTTP redirects to IdP website and get assertions, therefore users would be required to use the HMAC auth method which uses API key and Secret key
  • quality risks (test guidelines)
    • functional
    • non functional: performance, scalability, stability, overload scenarios, etc
    • corner cases and boundary conditions
    • negative usage scenarios
  • Configuration:
    • IdP URL, metadata XML or discovery
    • SP Base Url
    • SP Unique Entity ID (IdP requires unique SAML federation/SP)
    • SP metadata and XML configuration
    • Cryptographic key management: SP keychain (signing key and encryption key) and IdP public key
    • CloudStack Logout behaviour: Local or Global
    • Default SAML user role
  • Compatibility requirements:
    • OpenSAML and other compliant SAML 2.0 IdP
  • Security specification
    • TODO: add notes on SAML attacks, workarounds and TLS/SSL considerations
    • TODO: add notes on CA, cert management
    • TODO: add notes on federation and metadata management with IdP 
  • Feature User: CloudStack Admin, CloudStack UI users

Use cases

An organization that has SAML 2.0 compliant IdP service and wants to integrate SSO with CloudStack can use this feature.

For Admins: Their administrator would create a unique entity ID and put in CloudStack SAML plugin. The CloudStack instance will have a base URL (http://domain/client etc.) which is configured in the SAML plugin. The admin will set IdP public key, IdP URL to the plugin using an API or web UI or as file where CloudStack is installed. The admin will generate X509 certificates (public and private keys) and store them with SAML plugin's java keystore as file, the public key and SAML SP metadata will be store at IdP server. Admin will configure whether logging out from CloudStack will locally logout users or globally. The admin will also configure default SAML authenticated user role which can only be changed by admin later once user is created/logs in the first time.

For Users: The users will open CloudStack UI URL in their browser and will be redirected to IdP URL. Once authenticated by IdP, the IdP will redirect users back to CloudStack UI which on receiving valid assertion from IdP will allow users in. If this is the first time users access CloudStack UI, CloudStack management server will create the user (with no password within CloudStack) using SAML assertion information (email, username etc).

Architecture and Design description

TODO:

  • discussion of alternatives amongst design ideas, their resources/time tradeoffs and limitations. Explain why a certain design idea is chosen over others
  • highlight architectural patterns being used (queues, async/sync, state machines, etc)
  • explain what components are being changed and what the dependent components are
  • regarding database: talk about tables being added/modified
  • performance implications: what are the improvements or risks introduced to capacity, response time, resources usage and other relevant KPIs
  • preferably show class diagrams, sequence diagrams and state diagrams
  • if possible, publish signatures of all methods classes and interfaces implement, and the explain the object information of different classes

Web Services APIs

TODO: add APIs 

UI flow

  • TODO: add diagrams

IP Clearance

  • Dependencies: (none included in the repo, maven will be configured to use the dependencies)
    • OpenSAML: Apache 2.0 license
    • Spring-security-saml: Apache 2.0 license

Appendix

Appendix A:

Appendix B: 

  • No labels