cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabrice Pollet <fabrice.pol...@etrs.terre.defense.gouv.fr>
Subject Re: Shibboleth and CloudStack
Date Thu, 27 Apr 2017 07:10:53 GMT
Hello,

The IdP metadata can also be read at this public URL
https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.

The SP metadata is not public at the moment (see attached).

For me the redirection should be done towards
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS)
instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword.

My IdP server has the SP metadata (the "backingFile" is filled
automatically).

I will try your workaround.

I would like to inform you and thank you in advance.

Regards,

Le 26/04/2017 17:29, Rohit Yadav a écrit :
>
> Hi Fabrice,
>
>
> I could not open the URLs (they are not public) so cannot verify the
> XML metadata.
>
>
> The IdP
> metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include
> list of supported IDP server endpoints that support http-redirect
> (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
> based single-sign on. The current SAML2 plugin only supports and works
> with the Http-Redirect binding only.
>
>
> If you can share the xml with me, I can verify the SSO URL. Likely,
> the
> URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must
> be one of the allowed SSO http-redirect based endpoints.
>
>
> You may try this workaround -- assuming your IdP server has the SP
> metadata (i.e. the xml that you get
> from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata")
> added/enabled; you can download and save the IdP metadata (make any
> URL modification that you want) to be file such as 'idp-metadata.xml'
> in /etc/cloudstack/management on the management server(s) and then in
> the global setting set the 'saml2.idp.metadata.url' to the value
>  'idp-metadata.xml' (without the quotes). Then, restart the mgmt
> server(s), it will read the metadata from this file location instead
> of the URL.
>
>
> The SAML2 plugin also allows for multiple idps defined (for example,
> in case of a federation it will retrieve and list all the available
> SSO site, for example search for CAFe saml federation).
>
>
> Regards.
>
> ------------------------------------------------------------------------
> *From:* Fabrice Pollet <fabrice.pollet@etrs.terre.defense.gouv.fr>
> *Sent:* 26 April 2017 17:31:46
> *To:* users@cloudstack.apache.org
> *Subject:* Shibboleth and CloudStack
>  
> Hello,
>
> I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
> as a service provider (SP) to our own identity provider Shibboleth 2.4.4
> (IdP - Authentication Service and Authorization based on XML).
>
> I have completed the following CloudStack SAML2 settings:
>
> saml2.append.idpdomain = false
>
> saml2.default.idpid = néant
>
> saml2.enabled = true
>
> saml2.idp.metadata.url =
> http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
> <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
>
> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
>
> saml2.sigalg = SHA256
>
> saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
>
> saml2.sp.slo.url =
> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
> <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
>
> saml2.sp.sso.url =
> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
>
> saml2.user.attribute = uid
>
>
> But the URL SSO-SAML2
> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
> returns me to the native authentication URL of our IdP
> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
> instead of the SSO-CAS delegation URL
> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
>
>
> The meta data of my SP are listed in my IdP (from the configuration file
> relying-party.xml):
>
> <!-- Metadonnées de ETRS CloudStack -->
>
> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
> xsi:type="metadata:FileBackedHTTPMetadataProvider"
>
> metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
>
> backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
>
> </metadata:MetadataProvider>
>
> Thank you for your help.
>
>
> -- 
> IEF MINDEF POLLET Fabrice
>
> TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
> COMSIC BP18 35998 RENNES 9 France
>
> 821 354 34 82 / 02 99 84 34 82
> fabrice.pollet@etrs.fr (Internet)
> fabrice-c.pollet@intradef.gouv.fr (Intradef)
>
> rohit.yadav@shapeblue.com 
> www.shapeblue.com
> @shapeblue
>

Mime
View raw message