Hello,
Thank you very much for your answer. Maybe I misunderstood because in my current configuration, CloudStack refers to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword without any modification and that corresponds to the native authentication of my IdP. I wanted CloudStack to return to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser which corresponds to my SSO-CAS. So I followed your hack but by modifying in /etc/cloudstack/management/idp-metadata.xml https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO by https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. This time CloudStack redirects well towards my SSO-CAS it is a progress. Unfortunately, authentication does not succeed. Here are the logs of the IdP at the time of the connection: 11:09:55.290 - INFO [Shibboleth-Access:73] - 20170502T090955Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO| 11:09:55.378 - DEBUG [PROTOCOL_MESSAGE:74] - <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response Destination="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"; ID="_3b1e03d6935882d3eb5d3f9242fb1426" InResponseTo="ni2j9u3i4d749ask9434jsgon0i9g7u2" IssueInstant="2017-05-02T09:09:55.320Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData Id="_61daeafb4f216c1e291b2130c8b56a35" Type="http://www.w3.org/2001/04/xmlenc#Element"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <xenc:EncryptedKey Id="_bae1f2d4c0b08c4fa70aa7169117c880" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> </xenc:EncryptionMethod> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0 YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8 g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2 60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22 nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw 14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN 7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI 1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7 NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3 smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0 HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB 2HWwtuca</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:CipherValue>BwCwEsRgA3OFiHNpd3bfHAo5Q3zt6YlqbKlg9HRpL6U2ID2Hm7KI9FojAPS5JpSh14mreSNylN2myr9jUOJ+OpeCfRdjtSNuck3O/k42g/Eu5nNmzn9cFOSbFqSQXvsdYVzsbMeGID1J9cq5FfVeu6RcebZr7Ebo5tOTdJqmKi2BScB/fz8Yy/2p6xh/JWYhsVCeSwvHuHKrDYCFf5eg0XcoP/tgrA65U7P7utrKrjMgSq5Dn5XkaXc9L9+wov9VnpdKrRU2TENFdZIW5RO1PKc5nwP3/ivEkuYs2ax+lvvkYpNqEiAQyQmt1T1VvctyLC0MplMDX8YEMRIfhNAyJskYbp5rP1ZHGhfu76cVTzdt4AouCNvxRYPZ5uhy47jeEy0ZewEz65ImqGgKNoZ4FwH5UwTTHGZak5MJ3LmTd9bfwfz7sUK3TGsISdbFCVxkthQvGBmOHNHb8BbKaNUV8Px8DH0IV1jvCiXUBlzwFpnRjG06hSpmmllyu3WaQixPqZ1BjgjAOXrUdhxLrBRyXEbKeFdGxidJYcqQaBpn4H83ZNPBriQ3Ya39NJGkfkVlU8tvpif3tH1fNWJ0SBNDZWIUjyu4OKFxjiebsP2QF6miep9YscNffQdPt9k0h2siTQJCpH/DM2RMQOna/AKARUeyD39jsutvhpj3TQzplzw=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> <xenc:CipherValue>KXBwY7UOS1KcHaNefUMtdK/6Jlmm78KYhs62nxNAectfTT5Sw3l289hLgeaIZ0RRsO1XqQk+ew43mMm6QaWjvcEDGij2C+TEGl2maIkhxpW71ZeeMyP6dAW78/TDJBJfLUEbTR1jb+q7hfJDKgMdyGfQ9ErEdvQjbz8vRMYiq7fdkNzqVTpXzcc7KXbpGtSQqyJYetAGFPx2wsJreeHsQPvIJrI42ER8LOLyv/FnXi+w4YXrzL14e0Qhmyry07Z8B6gC3DA+C8pmDs9xn99nEfAC6xZctDeIzC0+KpGav9NfACfvqs+X2DleZGckzsSomDxssiv4ArAbTSV/dRlbBUWfIGBgwALVhrBDyuCkBXrYNYqm7QF6bKSmAOlKVYC+lqFdI8CLHH7QiEO2S1UHYNRSIjUPXtef1CXGWM2jhmPYc51VBxsrcoY0ei0/nx9WVLcN5OHxnb8dz5Lm5yJJRa16k+7/rYDi8KvGTQj6jTEkQFjoxr7VeDHHAEdt5D8/Xm0PuvAXGTEvOntlaLbXkMqFxBe9usAkFqf6CRm3Qin2O7dUuipWJVZE1f7gnZyGCV0woVgnSQ2vo5quz5ABveXzlsuypMkD/bwavgLYNQR9c4eIJDqcUlPC2zm5XM18mgdxxQpp90E3Kb29j1OGfDh6F35x2rYg3k1/jJeMlDlbANprwyw1eM+qGijDcdYNoJEMRF9Utpt1ePDSOhBBPyPiTg7lgBo0m/gBnHR26TTTDGMruCm7SSNrYJIf1KR6HFalEaUZn7kpSBINkyoCOOyW78L8pqy0+m1ZcCfsYBzHsSd8kXyavYESCGIB58oIzPFB7VK1SiKrWvZCRkXw0AZllfy3cntpGopCBopjivUxycsNHPTIp0sZDpkpRC9it3vGcJDIueuPoco1cdoM05gTLg2rNU7StPukDAwKZSRJ2RY0kNcnoeNIoQLc5IAM4PuCFkFhOQYVAI+dmIxc5F74uDctiONoNX6zVyp3OSZHiNoN/WrSkA7OsefciO+DaU1XLc87CSqvR8eOG41VjSlxpzkHBjUOiOtz52BKlFtuDLlKFX/5W6XQYNHp69PhYjuXd6vryvNWSPVgoVDJ5R10s+W2JvnQXlgD0MVlgJQs905+yi1fugYYYuA2P0NIEu3/Ky4U4CLxmGM3NIAkTWpjpFhHxv8il3x4TLPs2BB49gV1FOF3E5oXYg37bY1k0aeJA/DDxm2QXLP31Q4jdOAwdL5o6gIbeHV2g4WEUeMHg3zMfuL3jcJi/JA7A6MJEDyYCC32Z42DfUYgocmIwlOTs6y2ujxKqAWfKYC9n6bu5Wxj2zU8dZlmA7Os1UYZZbz9ZaRFMp3aN31/x1dasSP2yCoLpcjgiWsQDTBOn596V9OXmK14Z6K/+Ba51dfT3UWc4vTSb603AB0yNV4Y4vclSFxM47qPb2kU2qtgZyEOVKDy6OekNVW+az8+IitTH/f2Fk+HgM4Ro6MrCLkjbwvriL3NZmIcTm3eV3cGDf752fmDI/wYXc8tMXMcNQQo+S8Gf76rLy9TffWX4DvIPQkG4o278c1RRwl58+O1arAcsAvhMNGiwzHDVhTCrzVWebifphXBzOjDN3cNm4I0HC/nmiuWprQy7IAkNatmQIRa5AevmmFYNd5rSvptyxVPBLcCCWxXcgB8nAosQp2nsTsE01UTfptvEPDPwc3BPbc8S4I2o5hhE5LCDquDmi3o5VbBmEGoOlt8pcpvtF99ogvSYo9nXPjt8XMwxWyfR52ch4XbGqLXrSiQejGBwhMeIj02wdiEZU3jI7VyCvidZIbAfSwIFb7M0zke/zNK0rYLMqiRM/T6IeBCBd+a+F6afyokHEDO7jQsCAsQ+AtQwfAgCeoZO9X7Tn1gDKBBLMoIhAcXJaVvwIdd52DliYffnK906NaT64M+KBKGLESDyJJJ2mJQd/E0mosvNUHOJ13bVcR5qPFT2vp0hnodqi4q8wEdv7jGlYt8qOpVgmNgMT9hBtuS3dDoQ0wRKao2XpXIAUjW/SbCEG4FwzlTZR6a9oMd3WoU3YQr5+nsGM6ryzW3vZzt3zkQqCiuwgd86MhVJ+N1HGOQr7ZUWUsd42BXXpWEfpDFWMtke4apztJwrYS9YnOpH6dOkCgu5uKelChsSMaov+Undj9ioejbd7pta9J2TYsO14cq6Hv+G++TjNfP5O4XcOU804xIRCRZwC/jIrbkJMQ9XKYPwjsrhwBo1eC3eXeUCFvmr4yOfVoEAKWp9Go59wIEC8fPFdU6UUNSUYDchZa9l7tS+N7iZu4fcVmye6m8uKqsBQww8Fbk1kS06K5/QXD1T14H5bzs6eR+QHEsRoqDxR1+WNYjZm+c1qTd5eu5f1N+tWkmXmn0ko34QUUOjwR7JRPum6WTizh57S/aCYxNjx2qPk2QYXIP1tNXGkOTc7qq/u3fc+KGN8wEsLwfbd2j0n1fAsWbxv6q/RBdgIzl142W+m4EEoHKrOhctI3VOi+xoEcoCF/AQuTsBm3617qfZcWRqFR0t0RVivCo9jutqXmkTdkIWbLW+elocN/lYNXRgOO+VtK8E39NQ2wbwYh2vCoqrNB61+MAketA/2UBblTBKnPe0ipYRV0isSQXoxVlRLfAAfqXES9DyRsCmu9vlnYxT0cyeHlgT8czCWypSRwxSX9V3tWxQVuXaktxIE5wU9VGOQzieP0z1EA5Plr5e2FbdtsS87eEC5yvYVLccEU4ni44HCGFqPUNHnMJtjGtqoSq56SBeBEy8WQVUB3PSckRnZE9F5/BYyACiSdw3E1EIB0algS/LuotpijriG2JODouCnFleVcraMdp2VweqDH3pxjRQbOdboyj7n2YuYR+RrDspwnjczmiiiL9+708PwZnGie+etvYTDFoKIHURQVLxid9mS87JBcpfzIXKPxSS89HdTk2jvFXR4VmUVYA0nJ4VJzyCWnArSZJpfvhyhuydFXAOhhE3tDqIJ120kXarGnaF1Yp2ZBZuX4UsV/jR1R6faqYTc7ynAzEnQ4zGj9d20O/4exiK9DRMGBaRYP4R6DRRDyKqC2Cqt2N2O4fcxYOfKeMNTmwHDBAU0tBlsZDCSHl/3Hr5eHdUXEH8D1AaF9rWvq3SI/aV0cSoyk7eIZ2AGzRs9lljHLoa6U65ichrz//1CueBDKc1pcomDTfAt1uSmeBe/cCNjhdpaB2dokgRUxNXGPENAtSYpoZrfBp/jjxUy83rdDVc5aW2qTnM9UQi3XJFv02jDIlTmIVI3+cDZQTHieExXCBgsAXMCcncEXY8Q2bDd1IUkDlTzUWf8lbr6YbDzmxYP2SFIXSjzAWRKIHKRGnLuETUw6FS9fpc4101VdkGVicv09RQsg3n1SHHmvmEH0HxxwZD4OgmSNKDmsfBLGaANEA0Ke+tDzIjQO2QjpLS9p7PsarE126WPvNHa1mNss0G22SI1s60xXYbcjFBXktT99m6ofIS36e4mLwH7F9NFWuKNqxofjoVtvcKcru3OeaChm+jl3ZcMEJPbQf8xBAvYWwGc3QJSpGw1NSbIO5sOeT/CjMjKux02nvFg0nBceRbTZ05cPjSErS2HwleXXEsicXgp9bcFf4oRGWNCVIvkItkUNijg/Rl9Y7xNv+ZVUCkN3DyOmg4GhzNnIFGDAPpqDXzx7uyLApSiWJe39VDq76muNOw0UQ7r6p7YUv7pGxJ7fjan8h97uBtdkZLHv4nOcZUFesMykAmy6cd1vIe41rujylDs+dTkYWsoIuLV71zqMGhufLyew7nSxX5kK+9wkPzxvF6o7HHXKOGr5oGVxV5/S6wmbZ4lGoUeRrYaYPIEnkhKDlikug6gXngK1Xrr7qd4pRLW2p2LRaYYk5wdlI3DucQuDbu1u6393Rv7AL0ZGVcQm2qWOMUiLT2V8VK4iy6lenFCX4zck623fOxs7y1EsyVyV0DIVRWXQODN9JHzVXQfBOrO7zY/91W8PwAYOy0hbw7uT/ZzKTMzGsEZN6ftGct5K/GiwoRyA/RV9edo1ghsNjjyuMp3IvGitp+IKPIZ1D+I9uZVygclePhSlxPZ4ceasZEExxyPNCVyvH1GJ3gMKW8WX2nuIU1ODESUcnRz40IMIFrnzgFpk//xzhoX7jk/90lBCntvb2xVaEk7+YKS2791ePmt+aydoaeYBiuR8lj8kpm9gTBQPtIFG6igBIHfP6Qh/hrg23ZIQ15CMBxD7ZlJCpxPzD+g9/ZJYj2iaiONOecN2F+pI07cxmWYbl3z6FhBysQAcF5KU10GjCjdoVyGBnvLAWlA8/PIbcTFvFAMNq/r8I2RXRRvZK1f+WYAzuvYkQ6FvNxTvyBZ5W3ywg0UTOIXhJYSxj3fhmT7S57PWgsLQQc2GCgspwsacQFtcD9FJNydvCyPi5eBt+OHZ8gjw+MJs8pHyK6Rs/Hwr62TPnwwNizTTe+dWrWwSdlYNFRnG5MhCVw4dfKo5rzCtABN3H7qpUGt94/DeiGKPm5dVmZUYZk3wv4wQfxsn5VlKeZxeowwql3KgYdyyHxYVWZSmFi87roxYAdFz+UAZtxnWN8YejkwQKYAcbdCZhLllzRJX/bqtCgtfCgl+coeP7OSR6eqP+YPlE5RoXrKEAz544jyLRUcbw6iiIeLTozHiTwIubRji0bxJybFr48ePKsDyIW2xpY7YjpRXVc2xOOzJE+ZXbymD/8LSdR42c0nNBW+sIgGP0raVpLATxr35bj9B+vh37oTnVEN4JyYgrVvhjlhlErnaLFIZ0G2U73tjiJD/361q62PPBC4jWeDHNK5VnNe4pPIczsYEwwQTh2EtAtpn0CCKn179HRGl5mlj9LhX3JzaZPGEmDPzS0JfiU15YxlAlgrG35x5mahZcc/oHjZyZc7XVqwlPk0GCdAGhfrnRwcedDwVsGGvNg49ciqdCjPREKknXMqFO+KAq+w2kePK+OMi3+rKzgWhurgI/hvpb+ucwhF5KpraIfJdzoTiwWYnxSGww2EJRXq/0ozIyQB9DZmOCD5tcHnKFjCjudgtiIbdBLmzxeNwG3SgDqPkkn31KK9jobWO5PGjCPUc6AvUD4GSYhw9En4xkRbsbbRztGCrXfpa0NpMysbo71YruK1gc9dccnwdSxTDZZEoxH8FqR6hUt5PAAxLi30UX5vqq9gXObzmlExIgeopyU2XkMIaa/HtAKPpCrZpeFQcbDC+bfos1vYUnGfVennTaFch47rWARdgLI1dGqq88lrJhfzKhS+ZWKHMDbdKs5OgNmvIt5kTWpbeie4qPW2volholu5wrmBz9Tpuhx7gwg/Zp3PeLCoPkvXCRAqQQKtZsnP+xKVW9+cugIN4GKLf60DbK897RRJcTP14nRo+tgYfdR2gKgZaiPNGXjz7wFUK7ApxSPEF//LBoLOOwSURVk4ckpPbam5M5KZydcAMRTxHbNUXlTPpcTCd/XkU0A/hsqVMvYBru2dcS0I9CQ4tfb8I2OTIZ2webSvgw0UjZmf+LHVRWiIhY+hMJ5aVpoLa3sVm22j9Yq+ZYIm+QbrRjJFBejzjeMgC8vJiL6hBgeEQDmInnpnYmR2AW6ZTjfNyyGTwwSCN9IqvJ5frJ9GAFv9PDnY78/tZuymXzzVaMxQPSqYsw+EXPTbn3onlJCoOUClG41s/kdwqebFguxUSm6MKZiEqirmY8VCalLF/W++jtQZbIeL8atplGe8A4R8dxIE25ArF3XXNykuGZQoJdlSZC/ZgNv6usBFUzZEuyB/luTkMW0V9dGO2otxR3xSYAR5d+mAzZsllaH/fOPD/904LijaO1+K8REwr3uUNe8hDZaErCTbnL09feZISe6+NykTw5runFqbiOlgGP6qvjc/qFLJy65LiQMj1+fWaz87UkshQH4nqOOROLFRP7HbeJI9UcXXoRQ2e/l2iDC5gDaM7xmmA7HE91vLD4XCT6W5obbSC5t9COUSU88UubAzXX+DjFtRL/e0E94/nfpKiFDsRlWJJwKIFybBqezGksdmU21VEh/Z7vzNRvlmAAsz6vepof4cNL4PkHOhn8BSnFI6wDZahPj9WzIZ7ePeUkz5NpTdYfqX6VcHzANAgiygeLx8EaT9dCaOPj3PEGU/QkCcFKFcY1l8LGGUUW8Rudje0MRarcRh+ms51nwuoCAB5Gr+73GYb+2Ir3DYQme3ym0zGfsqTl8gR707/lvdxgVP3ShqSwvD6tr0rgd1r5pG8BESQbak9bFdq6cNZpTLVQ3/AsOd7FBdlWlPCE6I9eU70NNQy3iKxJljVb//5xrcjEDa9ulQc=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAssertion> </saml2p:Response> 11:09:55.379 - INFO [Shibboleth-Audit:1028] - 20170502T090955Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ni2j9u3i4d749ask9434jsgon0i9g7u2|cloud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3b1e03d6935882d3eb5d3f9242fb1426|fabrice.pollet|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,transientId,|_9d5c99cfc524cd833e5e19406c95538e|| Here are the CloudStack logs: 2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===START=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json 2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Session cookie is marked secure! 2017-05-02 10:10:10,735 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Sending SAMLRequest id=mdp1ikdn2elvck5uilfbs266ahop200v 2017-05-02 10:10:10,903 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===END=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json Here is the error in the browser: https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso : <loginresponse cloud-stack-version="4.9.2.0"><errorcode>531</errorcode><errortext>Received SAML response for a SSO request that we may not have made or has expired, please try logging in again</errortext></loginresponse> Thank you again for your time. Le 28/04/2017 11:23, Rohit Yadav a écrit : > > Hi Fabrice, > > > I looked at the IdP XML, with the SAML2 plugin enabled/configured in > CloudStack when users click on login they will be redirected > to https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO (with > a saml token). After this, I'm not sure how your setup/IdP should > behave on handling the redirection or use of the REMOTE_USER > environment variable. > > > A sort of a hack you can try is to replace the SSO URL in your xml > file (saved in /etc/cloudstack/management/) > to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword and > see if that works for you. > > > Regards. > > [email protected] > www.shapeblue.com > @shapeblue > > > > > ------------------------------------------------------------------------ > *From:* Fabrice Pollet <[email protected]> > *Sent:* 27 April 2017 14:30:53 > *To:* Rohit Yadav; [email protected]; [email protected] > *Subject:* Re: Shibboleth and CloudStack > > I tried your solution to save the IdP metadata in file > /etc/cloudstack/management/idp-metadata.xml and I found my IdP in the > selection proposed by CloudStack. In any case it shows me the > possibility of adding other IdP and that is very good. > > However, I come back to the same situation. My Cloud refers to the > native authentication of my IdP instead of the SSO-CAS. > > I specify that my IdP has been working since 2015 with the Federation > RENATER and that its external services are well redirected to our SSO-CAS. > > Maybe a REMOTE_USER environment variable problem between the SP and > the IdP? > > > Le 27/04/2017 09:10, Fabrice Pollet a écrit : >> Hello, >> >> The IdP metadata can also be read at this public URL >> https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth. >> >> The SP metadata is not public at the moment (see attached). >> >> For me the redirection should be done towards >> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) >> instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword. >> >> My IdP server has the SP metadata (the "backingFile" is filled >> automatically). >> >> I will try your workaround. >> >> I would like to inform you and thank you in advance. >> >> Regards, >> >> Le 26/04/2017 17:29, Rohit Yadav a écrit : >>> >>> Hi Fabrice, >>> >>> >>> I could not open the URLs (they are not public) so cannot verify the >>> XML metadata. >>> >>> >>> The IdP >>> metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will >>> include list of supported IDP server endpoints that support >>> http-redirect (binding is set >>> to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based >>> single-sign on. The current SAML2 plugin only supports and works >>> with the Http-Redirect binding only. >>> >>> >>> If you can share the xml with me, I can verify the SSO URL. Likely, >>> the >>> URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must >>> be one of the allowed SSO http-redirect based endpoints. >>> >>> >>> You may try this workaround -- assuming your IdP server has the SP >>> metadata (i.e. the xml that you get >>> from >>> "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata";) >>> added/enabled; you can download and save the IdP metadata (make any >>> URL modification that you want) to be file such as >>> 'idp-metadata.xml' in /etc/cloudstack/management on the management >>> server(s) and then in the global setting set the >>> 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without >>> the quotes). Then, restart the mgmt server(s), it will read the >>> metadata from this file location instead of the URL. >>> >>> >>> The SAML2 plugin also allows for multiple idps defined (for example, >>> in case of a federation it will retrieve and list all the available >>> SSO site, for example search for CAFe saml federation). >>> >>> >>> Regards. >>> >>> ------------------------------------------------------------------------ >>> *From:* Fabrice Pollet <[email protected]> >>> *Sent:* 26 April 2017 17:31:46 >>> *To:* [email protected] >>> *Subject:* Shibboleth and CloudStack >>> >>> Hello, >>> >>> I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0 >>> as a service provider (SP) to our own identity provider Shibboleth 2.4.4 >>> (IdP - Authentication Service and Authorization based on XML). >>> >>> I have completed the following CloudStack SAML2 settings: >>> >>> saml2.append.idpdomain = false >>> >>> saml2.default.idpid = néant >>> >>> saml2.enabled = true >>> >>> saml2.idp.metadata.url = >>> http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth >>> <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth> >>> >>> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client >>> <https://cloud.etrs.terre.defense.gouv.fr/client> >>> >>> saml2.sigalg = SHA256 >>> >>> saml2.sp.id = cloud.etrs.terre.defense.gouv.fr >>> >>> saml2.sp.slo.url = >>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo >>> <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo> >>> >>> saml2.sp.sso.url = >>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso >>> >>> saml2.user.attribute = uid >>> >>> >>> But the URL SSO-SAML2 >>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso >>> returns me to the native authentication URL of our IdP >>> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword >>> instead of the SSO-CAS delegation URL >>> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. >>> >>> >>> The meta data of my SP are listed in my IdP (from the configuration file >>> relying-party.xml): >>> >>> <!-- Metadonnées de ETRS CloudStack --> >>> >>> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr" >>> xsi:type="metadata:FileBackedHTTPMetadataProvider" >>> >>> metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"; >>> >>> backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml"> >>> >>> </metadata:MetadataProvider> >>> >>> Thank you for your help. >>> >>> >>> -- >>> IEF MINDEF POLLET Fabrice >>> >>> TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA >>> COMSIC BP18 35998 RENNES 9 France >>> >>> 821 354 34 82 / 02 99 84 34 82 >>> [email protected] (Internet) >>> [email protected] (Intradef) >>> >>> [email protected] >>> www.shapeblue.com >>> @shapeblue >>>
