[jira] [Commented] (CLOUDSTACK-8037) Survey security of using SAML plugin in production and test against standard IDPs

Tue, 13 Jan 2015 01:35:45 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14274971#comment-14274971
 ] 

ASF subversion and git services commented on CLOUDSTACK-8037:
-------------------------------------------------------------

Commit 1a7f76ac77b05eec796637f96b4ceca3f1c7af33 in cloudstack's branch 
refs/heads/vmware-disk-controllers from [[email protected]]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=1a7f76a ]

CLOUDSTACK-8037: Fix attribute detection, tested to work with onelogin.com

Signed-off-by: Rohit Yadav <[email protected]>
(cherry picked from commit 23de431f96e1dad8a21055ac98926c428e83c775)
Signed-off-by: Rohit Yadav <[email protected]>


> Survey security of using SAML plugin in production and test against standard 
> IDPs
> ---------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8037
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8037
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>            Priority: Critical
>             Fix For: 4.5.0, 4.6.0
>
>
> Since SAML plugin will ship with 4.5, and while it's not enabled by default 
> we need to do a lot of testing and make sure whatever we're shipping works 
> generally in most cases. While the protocol does not dictate what different 
> metadata an IDP should return other than NameID (like a UUID), it needs to 
> work just based on that and provide other mechanisms to support additional 
> metadata such as email, name, timezone etc.
> The other main aim is to test various possible loopholes it could have or 
> exploits or bad conflicts with respect to transient vs non-transient/unique 
> NameIDs and SAML token signature checking as well as HTTP-redirected 
> authentication process. Final set of tests (possibly automated tests) or 
> manual QA against known standard IDP implementations for example openidp, 
> ssocircle, shibboleth etc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to