cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8037) Survey security of using SAML plugin in production and test against standard IDPs
Date Tue, 13 Jan 2015 21:13:34 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14275949#comment-14275949
] 

ASF subversion and git services commented on CLOUDSTACK-8037:
-------------------------------------------------------------

Commit 6bec69844d196e9b66fffa54f6998d8e45fc27e8 in cloudstack's branch refs/heads/4.5 from
[~rohit.yadav@shapeblue.com]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=6bec698 ]

CLOUDSTACK-8037: Require signed AuthnRequest, adds more security

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


> Survey security of using SAML plugin in production and test against standard IDPs
> ---------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8037
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8037
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>            Priority: Critical
>             Fix For: 4.5.0, 4.6.0
>
>
> Since SAML plugin will ship with 4.5, and while it's not enabled by default we need to
do a lot of testing and make sure whatever we're shipping works generally in most cases. While
the protocol does not dictate what different metadata an IDP should return other than NameID
(like a UUID), it needs to work just based on that and provide other mechanisms to support
additional metadata such as email, name, timezone etc.
> The other main aim is to test various possible loopholes it could have or exploits or
bad conflicts with respect to transient vs non-transient/unique NameIDs and SAML token signature
checking as well as HTTP-redirected authentication process. Final set of tests (possibly automated
tests) or manual QA against known standard IDP implementations for example openidp, ssocircle,
shibboleth etc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message