[jira] [Commented] (CLOUDSTACK-8462) SAML: Auth plugin should handle authorization and disallow users who are not allowed

Tue, 12 May 2015 22:05:14 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14541330#comment-14541330
 ] 

Rajani Karuturi commented on CLOUDSTACK-8462:
---------------------------------------------

Ldap currently doesnt support authrorization. Its only authentication.
Are you planning to add authorization with this? How are you planning to map 
the external roles to cloudstack user/account types?  

> SAML: Auth plugin should handle authorization and disallow users who are not 
> allowed
> ------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8462
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8462
>             Project: CloudStack
>          Issue Type: Sub-task
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: SAML
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>            Priority: Critical
>             Fix For: Future, 4.6.0, 4.5.2
>
>
> At the time of writing the auth plugin, I did not consider many security 
> issues. The current SAML2 auth plugin would automatically create users and 
> allow them inside CloudStack which in production could cause a severe 
> security issue, especially in environment with public IdP server infra such 
> as large institutions. Therefore, the idea is to let admin add/import users 
> manually or from LDAP and then allow them to be SAML authenticated. This 
> delegates the security issue and account creation/handling to the admin or 
> some other business layer/system.
> The following scenario would be supported:
> - Admin adds a user either manually or importing from LDAP etc.
> - Admin can then specify (multi-select or through API) a list of  one or more 
> users with their username (or any unique ID) to be allowed to be SAML 
> authenticated
> Assumption here is that every SAML authenticated user would have a unique 
> username mapped into CloudStack. Edge case handling: In case multiple users 
> exist in CloudStack with the same username (could be across domains) and if 
> the admin enables SAML authentication for all those user account, then the 
> plugin would assume all the users as the same and allowed by the SAML 
> authenticated user. Then, upon log in, the user should be able to 
> select/switch between all such accounts under any of the domains.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to