Return-Path: X-Original-To: apmail-cloudstack-issues-archive@www.apache.org Delivered-To: apmail-cloudstack-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 79E5917C01 for ; Fri, 19 Jun 2015 11:13:04 +0000 (UTC) Received: (qmail 82559 invoked by uid 500); 19 Jun 2015 11:13:04 -0000 Delivered-To: apmail-cloudstack-issues-archive@cloudstack.apache.org Received: (qmail 82535 invoked by uid 500); 19 Jun 2015 11:13:04 -0000 Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list issues@cloudstack.apache.org Received: (qmail 82525 invoked by uid 500); 19 Jun 2015 11:13:04 -0000 Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org Received: (qmail 82521 invoked by uid 99); 19 Jun 2015 11:13:04 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 19 Jun 2015 11:13:04 +0000 Date: Fri, 19 Jun 2015 11:13:04 +0000 (UTC) From: "ASF subversion and git services (JIRA)" To: cloudstack-issues@incubator.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CLOUDSTACK-8463) SAML: Allow admin to specify attribute name returned by IdP MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CLOUDSTACK-8463?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14593327#comment-14593327 ] ASF subversion and git services commented on CLOUDSTACK-8463: ------------------------------------------------------------- Commit 2721bf0cffbd1b99bc9ced44697be32e4b52c41e in cloudstack's branch refs/heads/saml-pp-squashed from [~rohit.yadav@shapeblue.com] [ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=2721bf0 ] CLOUDSTACK-8457: SAML auth plugin improvements for production usage * Move config options to SAML plugin This moves all configuration options from Config.java to SAML auth manager. This allows us to use the config framework. * Make SAML2UserAuthenticator validate SAML token in httprequest * Make logout API use ConfigKeys defined in saml auth manager * Before doing SAML auth, cleanup local states and cookies * Fix configurations in 4.5.1 to 4.5.2 upgrade path * Fail if idp has no sso URL defined * Add a default set of SAML SP cert for testing purposes Now to enable and use saml, one needs to do a deploydb-saml after doing a deploydb - CLOUDSTACK-8458: * On UI show dropdown list of discovered IdPs * Support SAML Federation, where there may be more than one IdP - New datastructure to hold metadata of SP or IdP - Recursive processing of IdP metadata - Fix login/logout APIs to get new interface and metadata data structure - Add org/contact information to metadata - Add new API: listIdps that returns list of all discovered IdPs - Refactor and cleanup code and tests - CLOUDSTACK-8459: * Add HTTP-POST binding to SP metadata * Authn requests must use either HTTP POST/Artifact binding - CLOUDSTACK-8461: * Use unspecified x509 cert as a fallback encryption/signing key In case a IDP's metadata does not clearly say if their certificates need to be used as signing or encryption and we don't find that, fallback to use the unspecified key itself. - CLOUDSTACK-8462: * SAML Auth plugin should not do authorization This removes logic to create user if they don't exist. This strictly now assumes that users have been already created/imported/authorized by admins. As per SAML v2.0 spec section 4.1.2, the SP provider should create authn requests using either HTTP POST or HTTP Artifact binding to transfer the message through a user agent (browser in our case). The use of HTTP Redirect was one of the reasons why this plugin failed to work for some IdP servers that enforce this. * Add new User Source By reusing the source field, we can find if a user has been SAML enabled or not. The limitation is that, once say a user is imported by LDAP and then SAML enabled - they won't be able to use LDAP for authentication * UI should allow users to pass in domain they want to log into * SAML users need to be authorized before they can authenticate - New column entity to track saml entity id for a user - Reusing source column to check if user is saml enabled or not - Add new source types, saml2 and saml2disabled - New table saml_token to solve the issue of multiple users across domains and to enforce security by tracking authn token and checking the samlresponse for the tokens - Implement API: authorizeSamlSso to enable/disable saml authentication for a user - Stubs to implement saml token flushing/expiry - CLOUDSTACK-8463: * Use username attribute specified in global setting Use username attribute defined by admin from a global setting In case of encrypted assertion/attributes: - Decrypt them - Check signature if provided to check authenticity of message using IdP's public key and SP's private key - Loop through attributes to find the username - CLOUDSTACK-8538: * Add new global config for SAML request sig algorithm - CLOUDSTACK-8539: * Add metadata refresh timer task and token expiring - Fix domain path and save it to saml_tokens - Expire hour old saml tokens - Refresh metadata based on timer task - Fix unit tests > SAML: Allow admin to specify attribute name returned by IdP > ----------------------------------------------------------- > > Key: CLOUDSTACK-8463 > URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8463 > Project: CloudStack > Issue Type: Sub-task > Security Level: Public(Anyone can view this level - this is the default.) > Components: SAML > Reporter: Rohit Yadav > Assignee: Rohit Yadav > Fix For: Future, 4.6.0, 4.5.2 > > > Just like the LDAP plugin, SAML plugin should allow admins to specify attribute names to be used to map and get user's id/username, email, firstname, lastname, etc. -- This message was sent by Atlassian JIRA (v6.3.4#6332)