Rohit Yadav created CLOUDSTACK-8462:
---------------------------------------
Summary: SAML: Auth plugin should handle authorization and
disallow users who are not allowed
Key: CLOUDSTACK-8462
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8462
Project: CloudStack
Issue Type: Sub-task
Security Level: Public (Anyone can view this level - this is the default.)
Components: SAML
Reporter: Rohit Yadav
Assignee: Rohit Yadav
Priority: Critical
Fix For: Future, 4.6.0, 4.5.2
At the time of writing the auth plugin, I did not consider many security
issues. The current SAML2 auth plugin would automatically create users and
allow them inside CloudStack which in production could cause a severe security
issue, especially in environment with public IdP server infra such as large
institutions. Therefore, the idea is to let admin add/import users manually or
from LDAP and then allow them to be SAML authenticated. This delegates the
security issue and account creation/handling to the admin or some other
business layer/system.
The following scenario would be supported:
- Admin adds a user either manually or importing from LDAP etc.
- Admin can then specify (multi-select or through API) a list of one or more
users with their username (or any unique ID) to be allowed to be SAML
authenticated
Assumption here is that every SAML authenticated user would have a unique
username mapped into CloudStack. Edge case handling: In case multiple users
exist in CloudStack with the same username (could be across domains) and if the
admin enables SAML authentication for all those user account, then the plugin
would assume all the users as the same and allowed by the SAML authenticated
user. Then, upon log in, the user should be able to select/switch between all
such accounts under any of the domains.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
