cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject cloudstack-docs-admin git commit: accounts: update saml docs
Date Sat, 07 Feb 2015 09:23:12 GMT
Repository: cloudstack-docs-admin
Updated Branches:
  refs/heads/master 36e506009 -> 678030ced


accounts: update saml docs

Signed-off-by: Rohit Yadav <rohit@scaleninja.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/commit/678030ce
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/tree/678030ce
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/diff/678030ce

Branch: refs/heads/master
Commit: 678030ced894b0428666b79eae0ea54754f512e7
Parents: 36e5060
Author: Rohit Yadav <rohit@scaleninja.com>
Authored: Sat Feb 7 14:52:59 2015 +0530
Committer: Rohit Yadav <rohit@scaleninja.com>
Committed: Sat Feb 7 14:52:59 2015 +0530

----------------------------------------------------------------------
 source/accounts.rst | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/678030ce/source/accounts.rst
----------------------------------------------------------------------
diff --git a/source/accounts.rst b/source/accounts.rst
index 79e2741..b6a6652 100644
--- a/source/accounts.rst
+++ b/source/accounts.rst
@@ -287,12 +287,31 @@ to CloudStack. To start a SAML 2.0 Single Log-Out, the user calls the
 CloudStack UI login page. The CloudStack service provider metadata is accessible
 from the ``getSPMetadata`` API command.
 
+After a user is authenticated, the IdP sends a SAML response to CloudStack using
+HTTP-Redirect scheme. Upon checking the response, CloudStack create a user account
+if required or gets the user account and sets cookie and redirects to the /client
+page. Note if the domain name used in the assertion consumer service URL is not
+same as the redirect URL (saml2.redirect.url) user won't be able to login because
+cookies are not set on the redirected URL's domain.
+
+Limitations:
+
+- Admins cannot specifiy supported attributes, currently supported attributes are
+  `uid`, `email`, `givenName` and `sn`.
+
+- Once authenticated for the first time, a user account with a user is created
+  using a persistent NameID or unique attributes such as uid or email. All user
+  accounts are under one domain.
+
+- The SAML authentication plugin with only SAML 2.0 IdPs which support HTTP-Redirect
+  and authentication works with only one IdP server
+
+- Tested only with OneLogin, Feide OpenIDP, PingIdentity
+
 The following global configuration should be configured:
 
 -  ``saml2.enabled``: Set this to **true** to enable the SAML Plugin. Default is **false**.
 
--  ``saml2.default.accountname``: Account name for creating new users. Default is **admin**.
-
 -  ``saml2.default.domainid``: Domain (UUID string) to use for creating new users. Default
is **1** (root domain).
 
 -  ``saml2.redirect.url``: The CloudStack UI url the SSO should redirected to when successful.
Default is **http://localhost:8080/client**.
@@ -308,4 +327,3 @@ The following global configuration should be configured:
 -  ``saml2.idp.metadata.url``: Identity Provider Metadata XML Url. Default is **https://openidp.feide.no/simplesaml/saml2/idp/metadata.php**.
 
 -  ``saml2.timeout``: Timeout used for downloading and parsing IdP metadata in milliseconds.
Default is **30000**.
-


Mime
View raw message