[
https://issues.apache.org/jira/browse/CLOUDSTACK-8035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14273347#comment-14273347
]
Rohit Yadav commented on CLOUDSTACK-8035:
-----------------------------------------
SAML SP metadata is not static with every server restart. This is potential
security issue, changing status to critical. The fix would be to save the first
generated public key to database.
> SAML SP metadata changes with every CloudStack restart
> ------------------------------------------------------
>
> Key: CLOUDSTACK-8035
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8035
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Priority: Critical
> Fix For: 4.5.0, 4.6.0
>
>
> the getSPMetadata API uses the private key to generate public keys every time
> cloudstack restarts, this is a non issue as saml tokens checked by previous
> public keys are still validated by the same private key but we need to store
> it in DB and not re-create them every time mgmt server restarts.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
