cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject cloudstack-docs-admin git commit: accounts: update saml docs
Date Mon, 29 Jun 2015 14:42:28 GMT
Repository: cloudstack-docs-admin
Updated Branches:
  refs/heads/4.5 e2c05e5d0 -> 476bfa1fd

accounts: update saml docs

Signed-off-by: Rohit Yadav <>


Branch: refs/heads/4.5
Commit: 476bfa1fd6e2f047350545bf56dd4c711e289a9e
Parents: e2c05e5
Author: Rohit Yadav <>
Authored: Mon Jun 29 16:41:34 2015 +0200
Committer: Rohit Yadav <>
Committed: Mon Jun 29 16:42:15 2015 +0200

 source/accounts.rst | 66 ++++++++++++++++++++++++++----------------------
 1 file changed, 36 insertions(+), 30 deletions(-)
diff --git a/source/accounts.rst b/source/accounts.rst
index 63a2337..db2f0bb 100644
--- a/source/accounts.rst
+++ b/source/accounts.rst
@@ -265,17 +265,12 @@ You could also use api commands: ``listLdapUsers``, ``ldapCreateAccount``
 Once LDAP is enabled, the users will not be allowed to changed password
 directly in cloudstack.
 .. |button to dedicate a zone, pod,cluster, or host| image:: _static/images/dedicate-resource-button.png
 Using a SAML 2.0 Identity Provider for User Authentication
-NOTE: The SAML2 auth plugin introduced in Apache CloudStack 4.5,
-should be considered experimental and has not been tested in production, therefore
-may change in future breaking implementation and semantics compatibility.
 You can use a SAML 2.0 Identity Provider with CloudStack for user
 authentication. This will require enabling the SAML 2.0 service provider plugin
 in CloudStack. On successful authentication, CloudStack will use the persistent
@@ -291,43 +286,54 @@ to CloudStack. To start a SAML 2.0 Single Log-Out, the user calls the
 CloudStack UI login page. The CloudStack service provider metadata is accessible
 from the ``getSPMetadata`` API command.
-After a user is authenticated, the IdP sends a SAML response to CloudStack using
-HTTP-Redirect scheme. Upon checking the response, CloudStack create a user account
-if required or gets the user account and sets cookie and redirects to the /client
-page. Note if the domain name used in the assertion consumer service URL is not
-same as the redirect URL (saml2.redirect.url) user won't be able to login because
-cookies are not set on the redirected URL's domain.
+Starting 4.5.2, the SAML plugin uses an authorization workflow where users should
+be authorized by an admin using ``authorizeSamlSso`` API before those users can
+use Single Sign On against a specific IDP. In case there are multiple user accounts
+with the same username (across domains) for the same authorized IDP, users would
+need to specify domainpath when logging-in by selecting the IDP from the dropdown
+list. By default, users don't need to specify any domain path. After a user is
+authenticated by a IDP, the SAML authentication plugin finds users whose username
+match the user attribute value returned by the SAML authentication response and fail
+only when it finds that there are multiple user accounts with the same user name for
+the specific IDP.
-- Admins cannot specifiy supported attributes, currently supported attributes are
-  `uid`, `email`, `givenName` and `sn`.
-- Once authenticated for the first time, a user account with a user is created
-  using a persistent NameID or unique attributes such as uid or email. All user
-  accounts are under one domain.
+- The plugin uses a user attribute returned by the IDP server in the SAML response
+  to find and map the authorized user in CloudStack. The default attribute is `uid`.
-- The SAML authentication plugin with only SAML 2.0 IdPs which support HTTP-Redirect
-  and authentication works with only one IdP server
+- The SAML authentication plugin supports HTTP-Redirect and HTTP-Post bindings.
-- Tested only with OneLogin, Feide OpenIDP, PingIdentity
+- Tested with Shibboleth 2.4, SSOCircle, Microsoft ADFS, OneLogin, Feide OpenIDP,
+  PingIdentity.
 The following global configuration should be configured:
--  ``saml2.enabled``: Set this to **true** to enable the SAML Plugin. Default is **false**.
+- ``saml2.enabled``: Indicates whether SAML SSO plugin is enabled or not true. Default is
+- ````: SAML2 Service Provider Identifier string
+- ``saml2.idp.metadata.url``: SAML2 Identity Provider Metadata XML Url or Filename. If a
URL is not provided, it will look for a file in the config directory /etc/cloudstack/management
+- ``saml2.default.idpid``: The default IdP entity ID to use only in case of multiple IdPs
+- ``saml2.sigalg``: The algorithm to use to when signing a SAML request. Default is SHA1,
allowed algorithms: SHA1, SHA256, SHA384, SHA512.
+- ``saml2.redirect.url``: The CloudStack UI url the SSO should redirected to when successful.
Default is **http://localhost:8080/client**
+- ````: SAML2 Service Provider Organization Name
--  ``saml2.default.domainid``: Domain (UUID string) to use for creating new users. Default
is **1** (root domain).
+- ````: SAML2 Service Provider Organization URL
--  ``saml2.redirect.url``: The CloudStack UI url the SSO should redirected to when successful.
Default is **http://localhost:8080/client**.
+- ````: SAML2 Service Provider Contact Email Address
--  ````: CloudStack service provider entity ID. Default is **org.apache.cloudstack**.
+- ````: SAML2 Service Provider Contact Person Name
--  ``saml2.sp.sso.url``: CloudStack service provider Single Sign-On URL. Default is **http://localhost:8080/client/api?command=samlsso**.
+- ``saml2.sp.slo.url``: SAML2 CloudStack Service Provider Single Log Out URL
--  ``saml2.sp.slo.url``: CloudStack service provider entity ID. Default is **http://localhost:8080/client/api?command=samlslo**.
+- ``saml2.sp.sso.url``: SAML2 CloudStack Service Provider Single Sign On URL
--  ````: The Identity Provider entity ID string. Default is ****.
+- ``saml2.user.attribute``: Attribute name to be looked for in SAML response that will contain
the username. Default is **uid**
--  ``saml2.idp.metadata.url``: Identity Provider Metadata XML Url. Default is ****.
+- ``saml2.timeout``: SAML2 IDP Metadata refresh interval in seconds, minimum value is set
to 300. Default is 1800
--  ``saml2.timeout``: Timeout used for downloading and parsing IdP metadata in milliseconds.
Default is **30000**.

View raw message