I tried your solution to save the IdP metadata in file /etc/cloudstack/management/idp-metadata.xml and I found my IdP in the selection proposed by CloudStack. In any case it shows me the possibility of adding other IdP and that is very good.
However, I come back to the same situation. My Cloud refers to the native authentication of my IdP instead of the SSO-CAS. I specify that my IdP has been working since 2015 with the Federation RENATER and that its external services are well redirected to our SSO-CAS. Maybe a REMOTE_USER environment variable problem between the SP and the IdP? Le 27/04/2017 09:10, Fabrice Pollet a écrit : > Hello, > > The IdP metadata can also be read at this public URL > https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth. > > The SP metadata is not public at the moment (see attached). > > For me the redirection should be done towards > https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) > instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword. > > My IdP server has the SP metadata (the "backingFile" is filled > automatically). > > I will try your workaround. > > I would like to inform you and thank you in advance. > > Regards, > > Le 26/04/2017 17:29, Rohit Yadav a écrit : >> >> Hi Fabrice, >> >> >> I could not open the URLs (they are not public) so cannot verify the >> XML metadata. >> >> >> The IdP >> metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will >> include list of supported IDP server endpoints that support >> http-redirect (binding is set >> to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based >> single-sign on. The current SAML2 plugin only supports and works with >> the Http-Redirect binding only. >> >> >> If you can share the xml with me, I can verify the SSO URL. Likely, >> the >> URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be >> one of the allowed SSO http-redirect based endpoints. >> >> >> You may try this workaround -- assuming your IdP server has the SP >> metadata (i.e. the xml that you get >> from >> "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata";) >> added/enabled; you can download and save the IdP metadata (make any >> URL modification that you want) to be file such as 'idp-metadata.xml' >> in /etc/cloudstack/management on the management server(s) and then in >> the global setting set the 'saml2.idp.metadata.url' to the value >> 'idp-metadata.xml' (without the quotes). Then, restart the mgmt >> server(s), it will read the metadata from this file location instead >> of the URL. >> >> >> The SAML2 plugin also allows for multiple idps defined (for example, >> in case of a federation it will retrieve and list all the available >> SSO site, for example search for CAFe saml federation). >> >> >> Regards. >> >> ------------------------------------------------------------------------ >> *From:* Fabrice Pollet <[email protected]> >> *Sent:* 26 April 2017 17:31:46 >> *To:* [email protected] >> *Subject:* Shibboleth and CloudStack >> >> Hello, >> >> I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0 >> as a service provider (SP) to our own identity provider Shibboleth 2.4.4 >> (IdP - Authentication Service and Authorization based on XML). >> >> I have completed the following CloudStack SAML2 settings: >> >> saml2.append.idpdomain = false >> >> saml2.default.idpid = néant >> >> saml2.enabled = true >> >> saml2.idp.metadata.url = >> http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth >> <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth> >> >> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client >> >> saml2.sigalg = SHA256 >> >> saml2.sp.id = cloud.etrs.terre.defense.gouv.fr >> >> saml2.sp.slo.url = >> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo >> <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo> >> >> saml2.sp.sso.url = >> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso >> >> saml2.user.attribute = uid >> >> >> But the URL SSO-SAML2 >> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso >> returns me to the native authentication URL of our IdP >> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword >> instead of the SSO-CAS delegation URL >> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. >> >> >> The meta data of my SP are listed in my IdP (from the configuration file >> relying-party.xml): >> >> <!-- Metadonnées de ETRS CloudStack --> >> >> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr" >> xsi:type="metadata:FileBackedHTTPMetadataProvider" >> >> metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"; >> >> backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml"> >> >> </metadata:MetadataProvider> >> >> Thank you for your help. >> >> >> -- >> IEF MINDEF POLLET Fabrice >> >> TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA >> COMSIC BP18 35998 RENNES 9 France >> >> 821 354 34 82 / 02 99 84 34 82 >> [email protected] (Internet) >> [email protected] (Intradef) >> >> [email protected] >> www.shapeblue.com >> @shapeblue >>
