cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <>
Subject Re: Shibboleth and CloudStack
Date Wed, 26 Apr 2017 15:29:37 GMT
Hi Fabrice,

I could not open the URLs (they are not public) so cannot verify the XML metadata.

The IdP metadata will include list
of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect
binding only.

If you can share the xml with me, I can verify the SSO URL. Likely, the URL
must be one of the allowed SSO http-redirect based endpoints.

You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml
that you get from "")
added/enabled; you can download and save the IdP metadata (make any URL modification that
you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management
server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value  'idp-metadata.xml'
(without the quotes). Then, restart the mgmt server(s), it will read the metadata from this
file location instead of the URL.

The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation
it will retrieve and list all the available SSO site, for example search for CAFe saml federation).


From: Fabrice Pollet <>
Sent: 26 April 2017 17:31:46
Subject: Shibboleth and CloudStack


I'm trying to configure SAML2 SSO support to connect CloudStack
as a service provider (SP) to our own identity provider Shibboleth 2.4.4
(IdP - Authentication Service and Authorization based on XML).

I have completed the following CloudStack SAML2 settings:

saml2.append.idpdomain = false

saml2.default.idpid = néant

saml2.enabled = true

saml2.idp.metadata.url =

saml2.redirect.url =

saml2.sigalg = SHA256 =

saml2.sp.slo.url =

saml2.sp.sso.url =

saml2.user.attribute = uid

returns me to the native authentication URL of our IdP
instead of the SSO-CAS delegation URL

The meta data of my SP are listed in my IdP (from the configuration file

<!-- Metadonnées de ETRS CloudStack -->

<metadata:MetadataProvider id=""




Thank you for your help.


COMSIC BP18 35998 RENNES 9 France

821 354 34 82 / 02 99 84 34 82 (Internet) (Intradef)
53 Chandos Place, Covent Garden, London  WC2N 4HSUK

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message