[
https://issues.apache.org/jira/browse/CLOUDSTACK-8457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14593331#comment-14593331
]
ASF GitHub Bot commented on CLOUDSTACK-8457:
--------------------------------------------
GitHub user bhaisaab opened a pull request:
https://github.com/apache/cloudstack/pull/489
CLOUDSTACK-8457: SAML auth plugin improvements for production usage
Squashed branch saml-production-grade branch to one commit for easy
merge/commit. Open for review but please don't merge it yet as I'm yet to
improve some UI changes.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/apache/cloudstack saml-pp-squashed
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/489.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #489
----
commit 2721bf0cffbd1b99bc9ced44697be32e4b52c41e
Author: Rohit Yadav <[email protected]>
Date: 2015-05-28T12:50:12Z
CLOUDSTACK-8457: SAML auth plugin improvements for production usage
* Move config options to SAML plugin
This moves all configuration options from Config.java to SAML auth
manager. This
allows us to use the config framework.
* Make SAML2UserAuthenticator validate SAML token in httprequest
* Make logout API use ConfigKeys defined in saml auth manager
* Before doing SAML auth, cleanup local states and cookies
* Fix configurations in 4.5.1 to 4.5.2 upgrade path
* Fail if idp has no sso URL defined
* Add a default set of SAML SP cert for testing purposes
Now to enable and use saml, one needs to do a deploydb-saml after doing a
deploydb
- CLOUDSTACK-8458:
* On UI show dropdown list of discovered IdPs
* Support SAML Federation, where there may be more than one IdP
- New datastructure to hold metadata of SP or IdP
- Recursive processing of IdP metadata
- Fix login/logout APIs to get new interface and metadata data
structure
- Add org/contact information to metadata
- Add new API: listIdps that returns list of all discovered IdPs
- Refactor and cleanup code and tests
- CLOUDSTACK-8459:
* Add HTTP-POST binding to SP metadata
* Authn requests must use either HTTP POST/Artifact binding
- CLOUDSTACK-8461:
* Use unspecified x509 cert as a fallback encryption/signing key
In case a IDP's metadata does not clearly say if their certificates
need to be
used as signing or encryption and we don't find that, fallback to use
the
unspecified key itself.
- CLOUDSTACK-8462:
* SAML Auth plugin should not do authorization
This removes logic to create user if they don't exist. This strictly
now
assumes that users have been already created/imported/authorized by
admins.
As per SAML v2.0 spec section 4.1.2, the SP provider should create
authn requests using
either HTTP POST or HTTP Artifact binding to transfer the message
through a
user agent (browser in our case). The use of HTTP Redirect was one of
the reasons
why this plugin failed to work for some IdP servers that enforce this.
* Add new User Source
By reusing the source field, we can find if a user has been SAML
enabled or not.
The limitation is that, once say a user is imported by LDAP and then
SAML
enabled - they won't be able to use LDAP for authentication
* UI should allow users to pass in domain they want to log into
* SAML users need to be authorized before they can authenticate
- New column entity to track saml entity id for a user
- Reusing source column to check if user is saml enabled or not
- Add new source types, saml2 and saml2disabled
- New table saml_token to solve the issue of multiple users across
domains and
to enforce security by tracking authn token and checking the
samlresponse for
the tokens
- Implement API: authorizeSamlSso to enable/disable saml
authentication for a
user
- Stubs to implement saml token flushing/expiry
- CLOUDSTACK-8463:
* Use username attribute specified in global setting
Use username attribute defined by admin from a global setting
In case of encrypted assertion/attributes:
- Decrypt them
- Check signature if provided to check authenticity of message using
IdP's
public key and SP's private key
- Loop through attributes to find the username
- CLOUDSTACK-8538:
* Add new global config for SAML request sig algorithm
- CLOUDSTACK-8539:
* Add metadata refresh timer task and token expiring
- Fix domain path and save it to saml_tokens
- Expire hour old saml tokens
- Refresh metadata based on timer task
- Fix unit tests
----
> Make SAML plugin production grade
> ---------------------------------
>
> Key: CLOUDSTACK-8457
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8457
> Project: CloudStack
> Issue Type: Improvement
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: SAML
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Fix For: Future, 4.6.0, 4.5.2
>
>
> The current SAML plugin is not well tested with major IdPs used in production
> such as Shibboleth. It is also limited to using HTTP-redirect only and does
> not support HTTP-Post and other artifacts. Further, the security concerns are
> not well addressed, for example both authorization, creation of
> users/accounts (on first login) and authentication is done by the plugin
> which needs to be tested wrt security, addressed and improved.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
