cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabrice Pollet <fabrice.pol...@etrs.terre.defense.gouv.fr>
Subject Re: Shibboleth and CloudStack
Date Thu, 27 Apr 2017 09:00:53 GMT
I tried your solution to save the IdP metadata in file
/etc/cloudstack/management/idp-metadata.xml and I found my IdP in the
selection proposed by CloudStack. In any case it shows me the
possibility of adding other IdP and that is very good.

However, I come back to the same situation. My Cloud refers to the
native authentication of my IdP instead of the SSO-CAS.

I specify that my IdP has been working since 2015 with the Federation
RENATER and that its external services are well redirected to our SSO-CAS.

Maybe a REMOTE_USER environment variable problem between the SP and the IdP?


Le 27/04/2017 09:10, Fabrice Pollet a écrit :
> Hello,
>
> The IdP metadata can also be read at this public URL
> https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.
>
> The SP metadata is not public at the moment (see attached).
>
> For me the redirection should be done towards
> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS)
> instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword.
>
> My IdP server has the SP metadata (the "backingFile" is filled
> automatically).
>
> I will try your workaround.
>
> I would like to inform you and thank you in advance.
>
> Regards,
>
> Le 26/04/2017 17:29, Rohit Yadav a écrit :
>>
>> Hi Fabrice,
>>
>>
>> I could not open the URLs (they are not public) so cannot verify the
>> XML metadata.
>>
>>
>> The IdP
>> metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will
>> include list of supported IDP server endpoints that support
>> http-redirect (binding is set
>> to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based
>> single-sign on. The current SAML2 plugin only supports and works with
>> the Http-Redirect binding only.
>>
>>
>> If you can share the xml with me, I can verify the SSO URL. Likely,
>> the
>> URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be
>> one of the allowed SSO http-redirect based endpoints.
>>
>>
>> You may try this workaround -- assuming your IdP server has the SP
>> metadata (i.e. the xml that you get
>> from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata")
>> added/enabled; you can download and save the IdP metadata (make any
>> URL modification that you want) to be file such as 'idp-metadata.xml'
>> in /etc/cloudstack/management on the management server(s) and then in
>> the global setting set the 'saml2.idp.metadata.url' to the value
>>  'idp-metadata.xml' (without the quotes). Then, restart the mgmt
>> server(s), it will read the metadata from this file location instead
>> of the URL.
>>
>>
>> The SAML2 plugin also allows for multiple idps defined (for example,
>> in case of a federation it will retrieve and list all the available
>> SSO site, for example search for CAFe saml federation).
>>
>>
>> Regards.
>>
>> ------------------------------------------------------------------------
>> *From:* Fabrice Pollet <fabrice.pollet@etrs.terre.defense.gouv.fr>
>> *Sent:* 26 April 2017 17:31:46
>> *To:* users@cloudstack.apache.org
>> *Subject:* Shibboleth and CloudStack
>>  
>> Hello,
>>
>> I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
>> as a service provider (SP) to our own identity provider Shibboleth 2.4.4
>> (IdP - Authentication Service and Authorization based on XML).
>>
>> I have completed the following CloudStack SAML2 settings:
>>
>> saml2.append.idpdomain = false
>>
>> saml2.default.idpid = néant
>>
>> saml2.enabled = true
>>
>> saml2.idp.metadata.url =
>> http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
>> <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
>>
>> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
>>
>> saml2.sigalg = SHA256
>>
>> saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
>>
>> saml2.sp.slo.url =
>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
>> <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
>>
>> saml2.sp.sso.url =
>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
>>
>> saml2.user.attribute = uid
>>
>>
>> But the URL SSO-SAML2
>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
>> returns me to the native authentication URL of our IdP
>> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
>> instead of the SSO-CAS delegation URL
>> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
>>
>>
>> The meta data of my SP are listed in my IdP (from the configuration file
>> relying-party.xml):
>>
>> <!-- Metadonnées de ETRS CloudStack -->
>>
>> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
>> xsi:type="metadata:FileBackedHTTPMetadataProvider"
>>
>> metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
>>
>> backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
>>
>> </metadata:MetadataProvider>
>>
>> Thank you for your help.
>>
>>
>> -- 
>> IEF MINDEF POLLET Fabrice
>>
>> TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
>> COMSIC BP18 35998 RENNES 9 France
>>
>> 821 354 34 82 / 02 99 84 34 82
>> fabrice.pollet@etrs.fr (Internet)
>> fabrice-c.pollet@intradef.gouv.fr (Intradef)
>>
>> rohit.yadav@shapeblue.com 
>> www.shapeblue.com
>> @shapeblue
>>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message