cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Min Chen <min.c...@citrix.com>
Subject Re: [DISCUSS] [PROPOSAL] SAML2 plugin for SSO/SLO in CloudStack
Date Mon, 21 Jul 2014 17:10:23 GMT
+1. Very well-written FS and email, Rohit. Those open questions are very
valid, I added a little comment in your FS regarding the flow.

Thanks
-min

On 7/20/14 8:35 AM, "Rohit Yadav" <rohit.yadav@shapeblue.com> wrote:

>Hi,
>
>I'm assuming no one objects the proposal and the spec, I'll move forward
>with the first implementation starting next week but will be mostly
>offline till 28th July.
>
>Regards.
>
>Rohit Yadav wrote:
>> Hi guys,
>>
>> There has been a lot of interest [4] around auth related problems in
>> CloudStach such as -- SSO/SLO (single sign on / log out), 2-factor
>> authentication, role based network/IP/CIDR checking etc.
>>
>> A lot of challenge in implementing them in CloudStack is because of two
>> divergent authentication mechanisms (one that is
>> username/password/cookie based, other which is api/secret keys or
>> hmac/signature based).
>>
>> This thread tries to kickstart a project in that direction which will in
>> short term try to implement a SAML2 plugin and in long term have a much
>> better authentication framework.
>>
>> Let me start by briefly explaining what SAML2 [1] is -- it's an XML
>> based authentication and authorization protocol widely used to implement
>> single sign on service. Having a SAML plugin in ACS will give users and
>> organization a new mode of authentication who already have such an
>> infrastructure in place.
>>
>> A SAML based SSO infrastructure consists of three entities - user-agent
>> (UA), service provider (SP) and identity provider (IdP). The UA is the
>> user/browser, the SP is the application that the UA is accessing (i.e.
>> Apache CloudStack UI) and the IdP is the identity service and does
>> authentication and authorization, management of users among other
>> things. IdP could be backed by LDAP, AD etc. For the scope of this
>> feature, we only need to implement SAML SP plugin in CloudStack and use
>> any free SAML 2.0 compliant IdP server [5] for testing.
>>
>> For this I researched and explored ways of implementing that and have a
>> first draft which needs to be discussed and iterated in the ACS dev
>> community.
>>
>> After comparing many opensource SAML 2.0 implementations, their
>> security and stability, we'll use OpenSAML [2] which is the most stable
>> and widely used Java implementation. Since within CloudStack, we've been
>> using Spring (for DI etc.) I explored and found Spring security SAML
>> extension [3] which fits perfectly and it too uses OpenSAML.
>>
>> I also have a working proof-of-concept general implementation using the
>> above based on which I've put together a design document draft on this
>> feature for your review:
>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SAML+2.0+Plugin
>>
>> There are some complex stories/cases around security and user management
>> in CloudStack, some of which are listed under 'open ended questions' in
>> the draft above most of which I'm not sure how to address.
>>
>> After first round of discussion, I'll go ahead with a basic
>> implementation of this feature. The second phase will address broader
>> use cases.
>>
>> Comments, questions, suggestions?
>>
>> References:
>>
>> [1] http://en.wikipedia.org/wiki/SAML_2.0
>> [2] https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
>> [3] http://projects.spring.io/spring-security-saml
>> [4] John Burwell's talk on SSO in CloudStack:
>> https://www.youtube.com/watch?v=kCR0TzrfCOM
>> [5] https://idp.ssocircle.com/sso/UI/Login
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related
>>services
>>
>> IaaS Cloud Design &
>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge ­ rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is addressed.
>> Any views or opinions expressed are solely those of the author and do
>> not necessarily represent those of Shape Blue Ltd or related companies.
>> If you are not the intended recipient of this email, you must neither
>> take any action based upon its contents, nor copy or show it to anyone.
>> Please contact the sender if you believe you have received this email in
>> error. Shape Blue Ltd is a company incorporated in England & Wales.
>> ShapeBlue Services India LLP is a company incorporated in India and is
>> operated under license from Shape Blue Ltd. Shape Blue Brasil
>> Consultoria Ltda is a company incorporated in Brasil and is operated
>> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>> registered by The Republic of South Africa and is traded under license
>> from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
>--
>Rohit Yadav
>Software Architect, ShapeBlue
>M. +41 779015219 | rohit.yadav@shapeblue.com
>Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>Find out more about ShapeBlue and our range of CloudStack related services
>
>IaaS Cloud Design &
>Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>CSForge ­ rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>CloudStack Infrastructure
>Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>CloudStack Bootcamp Training
>Courses<http://shapeblue.com/cloudstack-training/>
>
>This email and any attachments to it may be confidential and are intended
>solely for the use of the individual to whom it is addressed. Any views
>or opinions expressed are solely those of the author and do not
>necessarily represent those of Shape Blue Ltd or related companies. If
>you are not the intended recipient of this email, you must neither take
>any action based upon its contents, nor copy or show it to anyone. Please
>contact the sender if you believe you have received this email in error.
>Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>Services India LLP is a company incorporated in India and is operated
>under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>a company incorporated in Brasil and is operated under license from Shape
>Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>is a registered trademark.


Mime
View raw message