cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: Shibboleth and CloudStack
Date Wed, 03 May 2017 09:17:01 GMT
Hi Fabrice,


Ensure that both SP and IdP server hosts have the same timezone/time settings. Consider setting
up NTP on them etc.


Next, another reason it failed to log into CloudStack (even though I can see successful authentication
at the IdP side) is that SP (cloudstack mgmt server) has incorrect IdP metadata or certificates
to verify and decrypt the encrypted tokens in the saml2 response. Please verify this as well.


Regards.

________________________________
From: Fabrice Pollet <fabrice.pollet@etrs.terre.defense.gouv.fr>
Sent: 02 May 2017 17:44:58
To: Rohit Yadav; users@cloudstack.apache.org; fabrice.pollet@etrs.fr
Subject: Re: Shibboleth and CloudStack

Hello,

Thank you very much for your answer.

Maybe I misunderstood because in my current configuration, CloudStack refers to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
without any modification and that corresponds to the native authentication of my IdP.

I wanted CloudStack to return to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser
which corresponds to my SSO-CAS.

So I followed your hack but by modifying in /etc/cloudstack/management/idp-metadata.xml https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO
by https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.

This time CloudStack redirects well towards my SSO-CAS it is a progress. Unfortunately, authentication
does not succeed.

Here are the logs of the IdP at the time of the connection:


11:09:55.290 - INFO [Shibboleth-Access:73] - 20170502T090955Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO|
11:09:55.378 - DEBUG [PROTOCOL_MESSAGE:74] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
    Destination="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso>
    ID="_3b1e03d6935882d3eb5d3f9242fb1426"
    InResponseTo="ni2j9u3i4d749ask9434jsgon0i9g7u2"
    IssueInstant="2017-05-02T09:09:55.320Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer
        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer>
    <saml2p:Status>
        <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </saml2p:Status>
    <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <xenc:EncryptedData Id="_61daeafb4f216c1e291b2130c8b56a35"
            Type="http://www.w3.org/2001/04/xmlenc#Element"<http://www.w3.org/2001/04/xmlenc#Element>
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
            <xenc:EncryptionMethod
                Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"<http://www.w3.org/2001/04/xmlenc#aes128-cbc>
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>/>
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"<http://www.w3.org/2000/09/xmldsig#>>
                <xenc:EncryptedKey
                    Id="_bae1f2d4c0b08c4fa70aa7169117c880" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
                    <xenc:EncryptionMethod
                        Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"<http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p>
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
                        <ds:DigestMethod
                            Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"<http://www.w3.org/2000/09/xmldsig#sha1>
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"<http://www.w3.org/2000/09/xmldsig#>/>
                    </xenc:EncryptionMethod>
                    <ds:KeyInfo>
                        <ds:X509Data>
                            <ds:X509Certificate>MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0
YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv
dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni
W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q
DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE
LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8
g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM
NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T
kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2
60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22
nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw
14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL
BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN
7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI
1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7
NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY
JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3
smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd
UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb
y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0
HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB
2HWwtuca</ds:X509Certificate>
                        </ds:X509Data>
                    </ds:KeyInfo>
                    <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
                        <xenc:CipherValue>BwCwEsRgA3OFiHNpd3bfHAo5Q3zt6YlqbKlg9HRpL6U2ID2Hm7KI9FojAPS5JpSh14mreSNylN2myr9jUOJ+OpeCfRdjtSNuck3O/k42g/Eu5nNmzn9cFOSbFqSQXvsdYVzsbMeGID1J9cq5FfVeu6RcebZr7Ebo5tOTdJqmKi2BScB/fz8Yy/2p6xh/JWYhsVCeSwvHuHKrDYCFf5eg0XcoP/tgrA65U7P7utrKrjMgSq5Dn5XkaXc9L9+wov9VnpdKrRU2TENFdZIW5RO1PKc5nwP3/ivEkuYs2ax+lvvkYpNqEiAQyQmt1T1VvctyLC0MplMDX8YEMRIfhNAyJskYbp5rP1ZHGhfu76cVTzdt4AouCNvxRYPZ5uhy47jeEy0ZewEz65ImqGgKNoZ4FwH5UwTTHGZak5MJ3LmTd9bfwfz7sUK3TGsISdbFCVxkthQvGBmOHNHb8BbKaNUV8Px8DH0IV1jvCiXUBlzwFpnRjG06hSpmmllyu3WaQixPqZ1BjgjAOXrUdhxLrBRyXEbKeFdGxidJYcqQaBpn4H83ZNPBriQ3Ya39NJGkfkVlU8tvpif3tH1fNWJ0SBNDZWIUjyu4OKFxjiebsP2QF6miep9YscNffQdPt9k0h2siTQJCpH/DM2RMQOna/AKARUeyD39jsutvhpj3TQzplzw=</xenc:CipherValue>
                    </xenc:CipherData>
                </xenc:EncryptedKey>
            </ds:KeyInfo>
            <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
                <xenc:CipherValue>KXBwY7UOS1KcHaNefUMtdK/6Jlmm78KYhs62nxNAectfTT5Sw3l289hLgeaIZ0RRsO1XqQk+ew43mMm6QaWjvcEDGij2C+TEGl2maIkhxpW71ZeeMyP6dAW78/TDJBJfLUEbTR1jb+q7hfJDKgMdyGfQ9ErEdvQjbz8vRMYiq7fdkNzqVTpXzcc7KXbpGtSQqyJYetAGFPx2wsJreeHsQPvIJrI42ER8LOLyv/FnXi+w4YXrzL14e0Qhmyry07Z8B6gC3DA+C8pmDs9xn99nEfAC6xZctDeIzC0+KpGav9NfACfvqs+X2DleZGckzsSomDxssiv4ArAbTSV/dRlbBUWfIGBgwALVhrBDyuCkBXrYNYqm7QF6bKSmAOlKVYC+lqFdI8CLHH7QiEO2S1UHYNRSIjUPXtef1CXGWM2jhmPYc51VBxsrcoY0ei0/nx9WVLcN5OHxnb8dz5Lm5yJJRa16k+7/rYDi8KvGTQj6jTEkQFjoxr7VeDHHAEdt5D8/Xm0PuvAXGTEvOntlaLbXkMqFxBe9usAkFqf6CRm3Qin2O7dUuipWJVZE1f7gnZyGCV0woVgnSQ2vo5quz5ABveXzlsuypMkD/bwavgLYNQR9c4eIJDqcUlPC2zm5XM18mgdxxQpp90E3Kb29j1OGfDh6F35x2rYg3k1/jJeMlDlbANprwyw1eM+qGijDcdYNoJEMRF9Utpt1ePDSOhBBPyPiTg7lgBo0m/gBnHR26TTTDGMruCm7SSNrYJIf1KR6HFalEaUZn7kpSBINkyoCOOyW78L8pqy0+m1ZcCfsYBzHsSd8kXyavYESCGIB58oIzPFB7VK1SiKrWvZCRkXw0AZllfy3cntpGopCBopjivUxycsNHPTIp0sZDpkpRC9it3vGcJDIueuPoco1cdoM05gTLg2rNU7StPukDAwKZSRJ2RY0kNcnoeNIoQLc5IAM4PuCFk
FhOQYVAI+ dmIxc5F74uDctiONoNX6zVyp3OSZHiNoN/WrSkA7OsefciO+DaU1XLc87CSqvR8eOG41VjSlxpzkHBjUOiOtz52BKlFtuDLlKFX/5W6XQYNHp69PhYjuXd6vryvNWSPVgoVDJ5R10s+W2JvnQXlgD0MVlgJQs905+yi1fugYYYuA2P0NIEu3/Ky4U4CLxmGM3NIAkTWpjpFhHxv8il3x4TLPs2BB49gV1FOF3E5oXYg37bY1k0aeJA/DDxm2QXLP31Q4jdOAwdL5o6gIbeHV2g4WEUeMHg3zMfuL3jcJi/JA7A6MJEDyYCC32Z42DfUYgocmIwlOTs6y2ujxKqAWfKYC9n6bu5Wxj2zU8dZlmA7Os1UYZZbz9ZaRFMp3aN31/x1dasSP2yCoLpcjgiWsQDTBOn596V9OXmK14Z6K/+Ba51dfT3UWc4vTSb603AB0yNV4Y4vclSFxM47qPb2kU2qtgZyEOVKDy6OekNVW+az8+IitTH/f2Fk+HgM4Ro6MrCLkjbwvriL3NZmIcTm3eV3cGDf752fmDI/wYXc8tMXMcNQQo+S8Gf76rLy9TffWX4DvIPQkG4o278c1RRwl58+O1arAcsAvhMNGiwzHDVhTCrzVWebifphXBzOjDN3cNm4I0HC/nmiuWprQy7IAkNatmQIRa5AevmmFYNd5rSvptyxVPBLcCCWxXcgB8nAosQp2nsTsE01UTfptvEPDPwc3BPbc8S4I2o5hhE5LCDquDmi3o5VbBmEGoOlt8pcpvtF99ogvSYo9nXPjt8XMwxWyfR52ch4XbGqLXrSiQejGBwhMeIj02wdiEZU3jI7VyCvidZIbAfSwIFb7M0zke/zNK0rYLMqiRM/T6IeBCBd+a+F6afyokHEDO7jQsCAsQ+AtQwfAgCeoZO9X7Tn1gDKBBLMoIhAcXJaVvwIdd52DliYffnK906NaT64M+KBKGLESDyJJJ2mJQd/E0mosvNUHOJ13bV
cR5qPFT2v p0hnodqi4q8wEdv7jGlYt8qOpVgmNgMT9hBtuS3dDoQ0wRKao2XpXIAUjW/SbCEG4FwzlTZR6a9oMd3WoU3YQr5+nsGM6ryzW3vZzt3zkQqCiuwgd86MhVJ+N1HGOQr7ZUWUsd42BXXpWEfpDFWMtke4apztJwrYS9YnOpH6dOkCgu5uKelChsSMaov+Undj9ioejbd7pta9J2TYsO14cq6Hv+G++TjNfP5O4XcOU804xIRCRZwC/jIrbkJMQ9XKYPwjsrhwBo1eC3eXeUCFvmr4yOfVoEAKWp9Go59wIEC8fPFdU6UUNSUYDchZa9l7tS+N7iZu4fcVmye6m8uKqsBQww8Fbk1kS06K5/QXD1T14H5bzs6eR+QHEsRoqDxR1+WNYjZm+c1qTd5eu5f1N+tWkmXmn0ko34QUUOjwR7JRPum6WTizh57S/aCYxNjx2qPk2QYXIP1tNXGkOTc7qq/u3fc+KGN8wEsLwfbd2j0n1fAsWbxv6q/RBdgIzl142W+m4EEoHKrOhctI3VOi+xoEcoCF/AQuTsBm3617qfZcWRqFR0t0RVivCo9jutqXmkTdkIWbLW+elocN/lYNXRgOO+VtK8E39NQ2wbwYh2vCoqrNB61+MAketA/2UBblTBKnPe0ipYRV0isSQXoxVlRLfAAfqXES9DyRsCmu9vlnYxT0cyeHlgT8czCWypSRwxSX9V3tWxQVuXaktxIE5wU9VGOQzieP0z1EA5Plr5e2FbdtsS87eEC5yvYVLccEU4ni44HCGFqPUNHnMJtjGtqoSq56SBeBEy8WQVUB3PSckRnZE9F5/BYyACiSdw3E1EIB0algS/LuotpijriG2JODouCnFleVcraMdp2VweqDH3pxjRQbOdboyj7n2YuYR+RrDspwnjczmiiiL9+708PwZnGie+etvYTDFoKIHURQVLxid9mS87JBcpfzIXKPxSS89HdTk2jvFXR4VmUVYA0nJ4VJzy
CWnArSZJp fvhyhuydFXAOhhE3tDqIJ120kXarGnaF1Yp2ZBZuX4UsV/jR1R6faqYTc7ynAzEnQ4zGj9d20O/4exiK9DRMGBaRYP4R6DRRDyKqC2Cqt2N2O4fcxYOfKeMNTmwHDBAU0tBlsZDCSHl/3Hr5eHdUXEH8D1AaF9rWvq3SI/aV0cSoyk7eIZ2AGzRs9lljHLoa6U65ichrz//1CueBDKc1pcomDTfAt1uSmeBe/cCNjhdpaB2dokgRUxNXGPENAtSYpoZrfBp/jjxUy83rdDVc5aW2qTnM9UQi3XJFv02jDIlTmIVI3+cDZQTHieExXCBgsAXMCcncEXY8Q2bDd1IUkDlTzUWf8lbr6YbDzmxYP2SFIXSjzAWRKIHKRGnLuETUw6FS9fpc4101VdkGVicv09RQsg3n1SHHmvmEH0HxxwZD4OgmSNKDmsfBLGaANEA0Ke+tDzIjQO2QjpLS9p7PsarE126WPvNHa1mNss0G22SI1s60xXYbcjFBXktT99m6ofIS36e4mLwH7F9NFWuKNqxofjoVtvcKcru3OeaChm+jl3ZcMEJPbQf8xBAvYWwGc3QJSpGw1NSbIO5sOeT/CjMjKux02nvFg0nBceRbTZ05cPjSErS2HwleXXEsicXgp9bcFf4oRGWNCVIvkItkUNijg/Rl9Y7xNv+ZVUCkN3DyOmg4GhzNnIFGDAPpqDXzx7uyLApSiWJe39VDq76muNOw0UQ7r6p7YUv7pGxJ7fjan8h97uBtdkZLHv4nOcZUFesMykAmy6cd1vIe41rujylDs+dTkYWsoIuLV71zqMGhufLyew7nSxX5kK+9wkPzxvF6o7HHXKOGr5oGVxV5/S6wmbZ4lGoUeRrYaYPIEnkhKDlikug6gXngK1Xrr7qd4pRLW2p2LRaYYk5wdlI3DucQuDbu1u6393Rv7AL0ZGVcQm2qWOMUiLT2V8VK4iy6lenFCX4zck623fOxs7y1EsyVyV0DIV
RWXQODN9J HzVXQfBOrO7zY/91W8PwAYOy0hbw7uT/ZzKTMzGsEZN6ftGct5K/GiwoRyA/RV9edo1ghsNjjyuMp3IvGitp+IKPIZ1D+I9uZVygclePhSlxPZ4ceasZEExxyPNCVyvH1GJ3gMKW8WX2nuIU1ODESUcnRz40IMIFrnzgFpk//xzhoX7jk/90lBCntvb2xVaEk7+YKS2791ePmt+aydoaeYBiuR8lj8kpm9gTBQPtIFG6igBIHfP6Qh/hrg23ZIQ15CMBxD7ZlJCpxPzD+g9/ZJYj2iaiONOecN2F+pI07cxmWYbl3z6FhBysQAcF5KU10GjCjdoVyGBnvLAWlA8/PIbcTFvFAMNq/r8I2RXRRvZK1f+WYAzuvYkQ6FvNxTvyBZ5W3ywg0UTOIXhJYSxj3fhmT7S57PWgsLQQc2GCgspwsacQFtcD9FJNydvCyPi5eBt+OHZ8gjw+MJs8pHyK6Rs/Hwr62TPnwwNizTTe+dWrWwSdlYNFRnG5MhCVw4dfKo5rzCtABN3H7qpUGt94/DeiGKPm5dVmZUYZk3wv4wQfxsn5VlKeZxeowwql3KgYdyyHxYVWZSmFi87roxYAdFz+UAZtxnWN8YejkwQKYAcbdCZhLllzRJX/bqtCgtfCgl+coeP7OSR6eqP+YPlE5RoXrKEAz544jyLRUcbw6iiIeLTozHiTwIubRji0bxJybFr48ePKsDyIW2xpY7YjpRXVc2xOOzJE+ZXbymD/8LSdR42c0nNBW+sIgGP0raVpLATxr35bj9B+vh37oTnVEN4JyYgrVvhjlhlErnaLFIZ0G2U73tjiJD/361q62PPBC4jWeDHNK5VnNe4pPIczsYEwwQTh2EtAtpn0CCKn179HRGl5mlj9LhX3JzaZPGEmDPzS0JfiU15YxlAlgrG35x5mahZcc/oHjZyZc7XVqwlPk0GCdAGhfrnRwcedDwVsGGvNg49ciqdCjPREKknXMqFO+KAq+w
2kePK+OMi 3+rKzgWhurgI/hvpb+ucwhF5KpraIfJdzoTiwWYnxSGww2EJRXq/0ozIyQB9DZmOCD5tcHnKFjCjudgtiIbdBLmzxeNwG3SgDqPkkn31KK9jobWO5PGjCPUc6AvUD4GSYhw9En4xkRbsbbRztGCrXfpa0NpMysbo71YruK1gc9dccnwdSxTDZZEoxH8FqR6hUt5PAAxLi30UX5vqq9gXObzmlExIgeopyU2XkMIaa/HtAKPpCrZpeFQcbDC+bfos1vYUnGfVennTaFch47rWARdgLI1dGqq88lrJhfzKhS+ZWKHMDbdKs5OgNmvIt5kTWpbeie4qPW2volholu5wrmBz9Tpuhx7gwg/Zp3PeLCoPkvXCRAqQQKtZsnP+xKVW9+cugIN4GKLf60DbK897RRJcTP14nRo+tgYfdR2gKgZaiPNGXjz7wFUK7ApxSPEF//LBoLOOwSURVk4ckpPbam5M5KZydcAMRTxHbNUXlTPpcTCd/XkU0A/hsqVMvYBru2dcS0I9CQ4tfb8I2OTIZ2webSvgw0UjZmf+LHVRWiIhY+hMJ5aVpoLa3sVm22j9Yq+ZYIm+QbrRjJFBejzjeMgC8vJiL6hBgeEQDmInnpnYmR2AW6ZTjfNyyGTwwSCN9IqvJ5frJ9GAFv9PDnY78/tZuymXzzVaMxQPSqYsw+EXPTbn3onlJCoOUClG41s/kdwqebFguxUSm6MKZiEqirmY8VCalLF/W++jtQZbIeL8atplGe8A4R8dxIE25ArF3XXNykuGZQoJdlSZC/ZgNv6usBFUzZEuyB/luTkMW0V9dGO2otxR3xSYAR5d+mAzZsllaH/fOPD/904LijaO1+K8REwr3uUNe8hDZaErCTbnL09feZISe6+NykTw5runFqbiOlgGP6qvjc/qFLJy65LiQMj1+fWaz87UkshQH4nqOOROLFRP7HbeJI9UcXXoRQ2e/l2iDC5gDaM7xmmA7HE91vLD4X
CT6W5obbS C5t9COUSU88UubAzXX+DjFtRL/e0E94/nfpKiFDsRlWJJwKIFybBqezGksdmU21VEh/Z7vzNRvlmAAsz6vepof4cNL4PkHOhn8BSnFI6wDZahPj9WzIZ7ePeUkz5NpTdYfqX6VcHzANAgiygeLx8EaT9dCaOPj3PEGU/QkCcFKFcY1l8LGGUUW8Rudje0MRarcRh+ms51nwuoCAB5Gr+73GYb+2Ir3DYQme3ym0zGfsqTl8gR707/lvdxgVP3ShqSwvD6tr0rgd1r5pG8BESQbak9bFdq6cNZpTLVQ3/AsOd7FBdlWlPCE6I9eU70NNQy3iKxJljVb//5xrcjEDa9ulQc=</xenc:CipherValue>
            </xenc:CipherData>
        </xenc:EncryptedData>
    </saml2:EncryptedAssertion>
</saml2p:Response>

11:09:55.379 - INFO [Shibboleth-Audit:1028] - 20170502T090955Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ni2j9u3i4d749ask9434jsgon0i9g7u2|cloud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3b1e03d6935882d3eb5d3f9242fb1426|fabrice.pollet|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,transientId,|_9d5c99cfc524cd833e5e19406c95538e||


Here are the CloudStack logs:


2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e)
===START===  172.16.96.7 -- GET  command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json
2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e)
Session cookie is marked secure!
2017-05-02 10:10:10,735 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (catalina-exec-20:ctx-52243a80)
(logid:f3e20c3e) Sending SAMLRequest id=mdp1ikdn2elvck5uilfbs266ahop200v
2017-05-02 10:10:10,903 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e)
===END===  172.16.96.7  -- GET  command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json

Here is the error in the browser: https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
:


<loginresponse cloud-stack-version="4.9.2.0"><errorcode>531</errorcode><errortext>Received
SAML response for a SSO request that we may not have made or has expired, please try logging
in again</errortext></loginresponse>

Thank you again for your time.


Le 28/04/2017 11:23, Rohit Yadav a écrit :

Hi Fabrice,


I looked at the IdP XML, with the SAML2 plugin enabled/configured in CloudStack when users
click on login they will be redirected to https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO
(with a saml token). After this, I'm not sure how your setup/IdP should behave on handling
the redirection or use of the REMOTE_USER environment variable.


A sort of a hack you can try is to replace the SSO URL in your xml file (saved in /etc/cloudstack/management/)
to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword and see if that works for
you.


Regards.

rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue




________________________________
From: Fabrice Pollet <fabrice.pollet@etrs.terre.defense.gouv.fr><mailto:fabrice.pollet@etrs.terre.defense.gouv.fr>
Sent: 27 April 2017 14:30:53
To: Rohit Yadav; users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>; fabrice.pollet@etrs.fr<mailto:fabrice.pollet@etrs.fr>
Subject: Re: Shibboleth and CloudStack

I tried your solution to save the IdP metadata in file /etc/cloudstack/management/idp-metadata.xml
and I found my IdP in the selection proposed by CloudStack. In any case it shows me the possibility
of adding other IdP and that is very good.

However, I come back to the same situation. My Cloud refers to the native authentication of
my IdP instead of the SSO-CAS.

I specify that my IdP has been working since 2015 with the Federation RENATER and that its
external services are well redirected to our SSO-CAS.

Maybe a REMOTE_USER environment variable problem between the SP and the IdP?


Le 27/04/2017 09:10, Fabrice Pollet a écrit :
Hello,

The IdP metadata can also be read at this public URL https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.

The SP metadata is not public at the moment (see attached).

For me the redirection should be done towards https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser
(SSO-CAS) instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword.

My IdP server has the SP metadata (the "backingFile" is filled automatically).

I will try your workaround.

I would like to inform you and thank you in advance.

Regards,

Le 26/04/2017 17:29, Rohit Yadav a écrit :

Hi Fabrice,


I could not open the URLs (they are not public) so cannot verify the XML metadata.


The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list
of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect
binding only.


If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
must be one of the allowed SSO http-redirect based endpoints.


You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml
that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata")
added/enabled; you can download and save the IdP metadata (make any URL modification that
you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management
server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value  'idp-metadata.xml'
(without the quotes). Then, restart the mgmt server(s), it will read the metadata from this
file location instead of the URL.


The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation
it will retrieve and list all the available SSO site, for example search for CAFe saml federation).


Regards.

________________________________
From: Fabrice Pollet <fabrice.pollet@etrs.terre.defense.gouv.fr><mailto:fabrice.pollet@etrs.terre.defense.gouv.fr>
Sent: 26 April 2017 17:31:46
To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
Subject: Shibboleth and CloudStack

Hello,

I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
as a service provider (SP) to our own identity provider Shibboleth 2.4.4
(IdP - Authentication Service and Authorization based on XML).

I have completed the following CloudStack SAML2 settings:

saml2.append.idpdomain = false

saml2.default.idpid = néant

saml2.enabled = true

saml2.idp.metadata.url =
http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
<http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>

saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client

saml2.sigalg = SHA256

saml2.sp.id = cloud.etrs.terre.defense.gouv.fr

saml2.sp.slo.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>

saml2.sp.sso.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso

saml2.user.attribute = uid


But the URL SSO-SAML2
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
returns me to the native authentication URL of our IdP
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
instead of the SSO-CAS delegation URL
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.


The meta data of my SP are listed in my IdP (from the configuration file
relying-party.xml):

<!-- Metadonnées de ETRS CloudStack -->

<metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
xsi:type="metadata:FileBackedHTTPMetadataProvider"

metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"

backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">

</metadata:MetadataProvider>

Thank you for your help.


--
IEF MINDEF POLLET Fabrice

TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
COMSIC BP18 35998 RENNES 9 France

821 354 34 82 / 02 99 84 34 82
fabrice.pollet@etrs.fr<mailto:fabrice.pollet@etrs.fr> (Internet)
fabrice-c.pollet@intradef.gouv.fr<mailto:fabrice-c.pollet@intradef.gouv.fr> (Intradef)


rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue


rohit.yadav@shapeblue.com 
www.shapeblue.com
53 Chandos Place, Covent Garden, London  WC2N 4HSUK
@shapeblue
  
 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message