rhtyd commented on issue #4519: URL: https://github.com/apache/cloudstack/issues/4519#issuecomment-738883712
@kiwiflyer yes let's discuss and understand how the env was setup, I suspect it may related to env configuration. @ngrosc can you share details of your IDP setup? For example the IDP xml metadata, what IDP server are you using (Shibboleth, keycloak etc). Usually, the SP (CloudStack acts as a service provider in SAML terminology) is not in control of whether the SAML token is encrypted or not, and signing and encryption is enforced by the IDP server. For best practices, IDP servers generally should enforce that both signing and encryption be done and (authn) tokens be signed and encrypted (when this is done correct we should see an encryption and sining public key in the IDP metadata xml, for example https://samltest.id/saml/idp). I think only if encryption is not enforced you'll be able to read/extract/change the token parameters, can you try to enforce encryption in your IDP and try your attack/test again? In case that works then we certainly have a blocker. CloudStack's SAML support (SP) was implemented and tested against Shibboleth and you may use https://samltest.id/ to test the setup. For doc ref: http://docs.cloudstack.apache.org/en/latest/adminguide/accounts.html#using-a-saml-2-0-identity-provider-for-user-authentication ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
