cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-8462) SAML: Auth plugin should handle authentication, admins to authorize users before they can authenticated
Date Mon, 08 Jun 2015 17:23:00 GMT


ASF subversion and git services commented on CLOUDSTACK-8462:

Commit 645f75bb0b83983c978c03b921c2544cfaa6cd7f in cloudstack's branch refs/heads/saml-production-grade
from []
[;h=645f75b ]

CLOUDSTACK-8462: SAML users need to be authorized before they can authenticate

- New column entity to track saml entity id for a user
- Reusing source column to check if user is saml enabled or not
- Add new source types, saml2 and saml2disabled
- New table saml_token to solve the issue of multiple users across domains and
  to enforce security by tracking authn token and checking the samlresponse for
  the tokens
- Implement API: authorizeSamlSso to enable/disable saml authentication for a
- Stubs to implement saml token flushing/expiry

Signed-off-by: Rohit Yadav <>

> SAML: Auth plugin should handle authentication, admins to authorize users before they
can authenticated
> -------------------------------------------------------------------------------------------------------
>                 Key: CLOUDSTACK-8462
>                 URL:
>             Project: CloudStack
>          Issue Type: Sub-task
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: SAML
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>            Priority: Critical
>             Fix For: Future, 4.6.0, 4.5.2
> At the time of writing the auth plugin, I did not consider many security issues. The
current SAML2 auth plugin would automatically create users and allow them inside CloudStack
which in production could cause a severe security issue, especially in environment with public
IdP server infra such as large institutions. Therefore, the idea is to let admin add/import
users manually or from LDAP and then allow them to be SAML authenticated. This delegates the
security issue and account creation/handling to the admin or some other business layer/system.
> The following scenario would be supported:
> - Admin adds a user either manually or importing from LDAP etc.
> - Admin can then specify (multi-select or through API) a list of  one or more users with
their username (or any unique ID) to be allowed to be SAML authenticated
> Assumption here is that every SAML authenticated user would have a unique username mapped
into CloudStack. Edge case handling: In case multiple users exist in CloudStack with the same
username (could be across domains) and if the admin enables SAML authentication for all those
user account, then the plugin would assume all the users as the same and allowed by the SAML
authenticated user. Then, upon log in, the user should be able to select/switch between all
such accounts under any of the domains.

This message was sent by Atlassian JIRA

View raw message