cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: Shibboleth and CloudStack
Date Wed, 26 Apr 2017 15:29:37 GMT
Hi Fabrice,


I could not open the URLs (they are not public) so cannot verify the XML metadata.


The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list
of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect
binding only.


If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
must be one of the allowed SSO http-redirect based endpoints.


You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml
that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata")
added/enabled; you can download and save the IdP metadata (make any URL modification that
you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management
server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value  'idp-metadata.xml'
(without the quotes). Then, restart the mgmt server(s), it will read the metadata from this
file location instead of the URL.


The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation
it will retrieve and list all the available SSO site, for example search for CAFe saml federation).


Regards.

________________________________
From: Fabrice Pollet <fabrice.pollet@etrs.terre.defense.gouv.fr>
Sent: 26 April 2017 17:31:46
To: users@cloudstack.apache.org
Subject: Shibboleth and CloudStack

Hello,

I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
as a service provider (SP) to our own identity provider Shibboleth 2.4.4
(IdP - Authentication Service and Authorization based on XML).

I have completed the following CloudStack SAML2 settings:

saml2.append.idpdomain = false

saml2.default.idpid = néant

saml2.enabled = true

saml2.idp.metadata.url =
http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
<http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>

saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client

saml2.sigalg = SHA256

saml2.sp.id = cloud.etrs.terre.defense.gouv.fr

saml2.sp.slo.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>

saml2.sp.sso.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso

saml2.user.attribute = uid


But the URL SSO-SAML2
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
returns me to the native authentication URL of our IdP
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
instead of the SSO-CAS delegation URL
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.


The meta data of my SP are listed in my IdP (from the configuration file
relying-party.xml):

<!-- Metadonnées de ETRS CloudStack -->

<metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
xsi:type="metadata:FileBackedHTTPMetadataProvider"

metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"

backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">

</metadata:MetadataProvider>

Thank you for your help.


--
IEF MINDEF POLLET Fabrice

TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
COMSIC BP18 35998 RENNES 9 France

821 354 34 82 / 02 99 84 34 82
fabrice.pollet@etrs.fr (Internet)
fabrice-c.pollet@intradef.gouv.fr (Intradef)


rohit.yadav@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message