Hi Fabrice,
Ensure that both SP and IdP server hosts have the same timezone/time settings. Consider setting up NTP on them etc. Next, another reason it failed to log into CloudStack (even though I can see successful authentication at the IdP side) is that SP (cloudstack mgmt server) has incorrect IdP metadata or certificates to verify and decrypt the encrypted tokens in the saml2 response. Please verify this as well. Regards. ________________________________ From: Fabrice Pollet <[email protected]> Sent: 02 May 2017 17:44:58 To: Rohit Yadav; [email protected]; [email protected] Subject: Re: Shibboleth and CloudStack Hello, Thank you very much for your answer. Maybe I misunderstood because in my current configuration, CloudStack refers to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword without any modification and that corresponds to the native authentication of my IdP. I wanted CloudStack to return to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser which corresponds to my SSO-CAS. So I followed your hack but by modifying in /etc/cloudstack/management/idp-metadata.xml https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO by https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. This time CloudStack redirects well towards my SSO-CAS it is a progress. Unfortunately, authentication does not succeed. Here are the logs of the IdP at the time of the connection: 11:09:55.290 - INFO [Shibboleth-Access:73] - 20170502T090955Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO| 11:09:55.378 - DEBUG [PROTOCOL_MESSAGE:74] - <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response Destination="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso";<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso> ID="_3b1e03d6935882d3eb5d3f9242fb1426" InResponseTo="ni2j9u3i4d749ask9434jsgon0i9g7u2" IssueInstant="2017-05-02T09:09:55.320Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData Id="_61daeafb4f216c1e291b2130c8b56a35" Type="http://www.w3.org/2001/04/xmlenc#Element";<http://www.w3.org/2001/04/xmlenc#Element> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc";<http://www.w3.org/2001/04/xmlenc#aes128-cbc> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";<http://www.w3.org/2000/09/xmldsig#>> <xenc:EncryptedKey Id="_bae1f2d4c0b08c4fa70aa7169117c880" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";<http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";<http://www.w3.org/2000/09/xmldsig#sha1> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";<http://www.w3.org/2000/09/xmldsig#>/> </xenc:EncryptionMethod> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0 YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8 g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2 60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22 nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw 14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN 7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI 1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7 NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3 smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0 HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB 2HWwtuca</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:CipherValue>BwCwEsRgA3OFiHNpd3bfHAo5Q3zt6YlqbKlg9HRpL6U2ID2Hm7KI9FojAPS5JpSh14mreSNylN2myr9jUOJ+OpeCfRdjtSNuck3O/k42g/Eu5nNmzn9cFOSbFqSQXvsdYVzsbMeGID1J9cq5FfVeu6RcebZr7Ebo5tOTdJqmKi2BScB/fz8Yy/2p6xh/JWYhsVCeSwvHuHKrDYCFf5eg0XcoP/tgrA65U7P7utrKrjMgSq5Dn5XkaXc9L9+wov9VnpdKrRU2TENFdZIW5RO1PKc5nwP3/ivEkuYs2ax+lvvkYpNqEiAQyQmt1T1VvctyLC0MplMDX8YEMRIfhNAyJskYbp5rP1ZHGhfu76cVTzdt4AouCNvxRYPZ5uhy47jeEy0ZewEz65ImqGgKNoZ4FwH5UwTTHGZak5MJ3LmTd9bfwfz7sUK3TGsISdbFCVxkthQvGBmOHNHb8BbKaNUV8Px8DH0IV1jvCiXUBlzwFpnRjG06hSpmmllyu3WaQixPqZ1BjgjAOXrUdhxLrBRyXEbKeFdGxidJYcqQaBpn4H83ZNPBriQ3Ya39NJGkfkVlU8tvpif3tH1fNWJ0SBNDZWIUjyu4OKFxjiebsP2QF6miep9YscNffQdPt9k0h2siTQJCpH/DM2RMQOna/AKARUeyD39jsutvhpj3TQzplzw=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";<http://www.w3.org/2001/04/xmlenc#>> <xenc:CipherValue>KXBwY7UOS1KcHaNefUMtdK/6Jlmm78KYhs62nxNAectfTT5Sw3l289hLgeaIZ0RRsO1XqQk+ew43mMm6QaWjvcEDGij2C+TEGl2maIkhxpW71ZeeMyP6dAW78/TDJBJfLUEbTR1jb+q7hfJDKgMdyGfQ9ErEdvQjbz8vRMYiq7fdkNzqVTpXzcc7KXbpGtSQqyJYetAGFPx2wsJreeHsQPvIJrI42ER8LOLyv/FnXi+w4YXrzL14e0Qhmyry07Z8B6gC3DA+C8pmDs9xn99nEfAC6xZctDeIzC0+KpGav9NfACfvqs+X2DleZGckzsSomDxssiv4ArAbTSV/dRlbBUWfIGBgwALVhrBDyuCkBXrYNYqm7QF6bKSmAOlKVYC+lqFdI8CLHH7QiEO2S1UHYNRSIjUPXtef1CXGWM2jhmPYc51VBxsrcoY0ei0/nx9WVLcN5OHxnb8dz5Lm5yJJRa16k+7/rYDi8KvGTQj6jTEkQFjoxr7VeDHHAEdt5D8/Xm0PuvAXGTEvOntlaLbXkMqFxBe9usAkFqf6CRm3Qin2O7dUuipWJVZE1f7gnZyGCV0woVgnSQ2vo5quz5ABveXzlsuypMkD/bwavgLYNQR9c4eIJDqcUlPC2zm5XM18mgdxxQpp90E3Kb29j1OGfDh6F35x2rYg3k1/jJeMlDlbANprwyw1eM+qGijDcdYNoJEMRF9Utpt1ePDSOhBBPyPiTg7lgBo0m/gBnHR26TTTDGMruCm7SSNrYJIf1KR6HFalEaUZn7kpSBINkyoCOOyW78L8pqy0+m1ZcCfsYBzHsSd8kXyavYESCGIB58oIzPFB7VK1SiKrWvZCRkXw0AZllfy3cntpGopCBopjivUxycsNHPTIp0sZDpkpRC9it3vGcJDIueuPoco1cdoM05gTLg2rNU7StPukDAwKZSRJ2RY0kNcnoeNIoQLc5IAM4PuCFk FhOQYVAI+ dmIxc5F74uDctiONoNX6zVyp3OSZHiNoN/WrSkA7OsefciO+DaU1XLc87CSqvR8eOG41VjSlxpzkHBjUOiOtz52BKlFtuDLlKFX/5W6XQYNHp69PhYjuXd6vryvNWSPVgoVDJ5R10s+W2JvnQXlgD0MVlgJQs905+yi1fugYYYuA2P0NIEu3/Ky4U4CLxmGM3NIAkTWpjpFhHxv8il3x4TLPs2BB49gV1FOF3E5oXYg37bY1k0aeJA/DDxm2QXLP31Q4jdOAwdL5o6gIbeHV2g4WEUeMHg3zMfuL3jcJi/JA7A6MJEDyYCC32Z42DfUYgocmIwlOTs6y2ujxKqAWfKYC9n6bu5Wxj2zU8dZlmA7Os1UYZZbz9ZaRFMp3aN31/x1dasSP2yCoLpcjgiWsQDTBOn596V9OXmK14Z6K/+Ba51dfT3UWc4vTSb603AB0yNV4Y4vclSFxM47qPb2kU2qtgZyEOVKDy6OekNVW+az8+IitTH/f2Fk+HgM4Ro6MrCLkjbwvriL3NZmIcTm3eV3cGDf752fmDI/wYXc8tMXMcNQQo+S8Gf76rLy9TffWX4DvIPQkG4o278c1RRwl58+O1arAcsAvhMNGiwzHDVhTCrzVWebifphXBzOjDN3cNm4I0HC/nmiuWprQy7IAkNatmQIRa5AevmmFYNd5rSvptyxVPBLcCCWxXcgB8nAosQp2nsTsE01UTfptvEPDPwc3BPbc8S4I2o5hhE5LCDquDmi3o5VbBmEGoOlt8pcpvtF99ogvSYo9nXPjt8XMwxWyfR52ch4XbGqLXrSiQejGBwhMeIj02wdiEZU3jI7VyCvidZIbAfSwIFb7M0zke/zNK0rYLMqiRM/T6IeBCBd+a+F6afyokHEDO7jQsCAsQ+AtQwfAgCeoZO9X7Tn1gDKBBLMoIhAcXJaVvwIdd52DliYffnK906NaT64M+KBKGLESDyJJJ2mJQd/E0mosvNUHOJ13bV cR5qPFT2v p0hnodqi4q8wEdv7jGlYt8qOpVgmNgMT9hBtuS3dDoQ0wRKao2XpXIAUjW/SbCEG4FwzlTZR6a9oMd3WoU3YQr5+nsGM6ryzW3vZzt3zkQqCiuwgd86MhVJ+N1HGOQr7ZUWUsd42BXXpWEfpDFWMtke4apztJwrYS9YnOpH6dOkCgu5uKelChsSMaov+Undj9ioejbd7pta9J2TYsO14cq6Hv+G++TjNfP5O4XcOU804xIRCRZwC/jIrbkJMQ9XKYPwjsrhwBo1eC3eXeUCFvmr4yOfVoEAKWp9Go59wIEC8fPFdU6UUNSUYDchZa9l7tS+N7iZu4fcVmye6m8uKqsBQww8Fbk1kS06K5/QXD1T14H5bzs6eR+QHEsRoqDxR1+WNYjZm+c1qTd5eu5f1N+tWkmXmn0ko34QUUOjwR7JRPum6WTizh57S/aCYxNjx2qPk2QYXIP1tNXGkOTc7qq/u3fc+KGN8wEsLwfbd2j0n1fAsWbxv6q/RBdgIzl142W+m4EEoHKrOhctI3VOi+xoEcoCF/AQuTsBm3617qfZcWRqFR0t0RVivCo9jutqXmkTdkIWbLW+elocN/lYNXRgOO+VtK8E39NQ2wbwYh2vCoqrNB61+MAketA/2UBblTBKnPe0ipYRV0isSQXoxVlRLfAAfqXES9DyRsCmu9vlnYxT0cyeHlgT8czCWypSRwxSX9V3tWxQVuXaktxIE5wU9VGOQzieP0z1EA5Plr5e2FbdtsS87eEC5yvYVLccEU4ni44HCGFqPUNHnMJtjGtqoSq56SBeBEy8WQVUB3PSckRnZE9F5/BYyACiSdw3E1EIB0algS/LuotpijriG2JODouCnFleVcraMdp2VweqDH3pxjRQbOdboyj7n2YuYR+RrDspwnjczmiiiL9+708PwZnGie+etvYTDFoKIHURQVLxid9mS87JBcpfzIXKPxSS89HdTk2jvFXR4VmUVYA0nJ4VJzy CWnArSZJp fvhyhuydFXAOhhE3tDqIJ120kXarGnaF1Yp2ZBZuX4UsV/jR1R6faqYTc7ynAzEnQ4zGj9d20O/4exiK9DRMGBaRYP4R6DRRDyKqC2Cqt2N2O4fcxYOfKeMNTmwHDBAU0tBlsZDCSHl/3Hr5eHdUXEH8D1AaF9rWvq3SI/aV0cSoyk7eIZ2AGzRs9lljHLoa6U65ichrz//1CueBDKc1pcomDTfAt1uSmeBe/cCNjhdpaB2dokgRUxNXGPENAtSYpoZrfBp/jjxUy83rdDVc5aW2qTnM9UQi3XJFv02jDIlTmIVI3+cDZQTHieExXCBgsAXMCcncEXY8Q2bDd1IUkDlTzUWf8lbr6YbDzmxYP2SFIXSjzAWRKIHKRGnLuETUw6FS9fpc4101VdkGVicv09RQsg3n1SHHmvmEH0HxxwZD4OgmSNKDmsfBLGaANEA0Ke+tDzIjQO2QjpLS9p7PsarE126WPvNHa1mNss0G22SI1s60xXYbcjFBXktT99m6ofIS36e4mLwH7F9NFWuKNqxofjoVtvcKcru3OeaChm+jl3ZcMEJPbQf8xBAvYWwGc3QJSpGw1NSbIO5sOeT/CjMjKux02nvFg0nBceRbTZ05cPjSErS2HwleXXEsicXgp9bcFf4oRGWNCVIvkItkUNijg/Rl9Y7xNv+ZVUCkN3DyOmg4GhzNnIFGDAPpqDXzx7uyLApSiWJe39VDq76muNOw0UQ7r6p7YUv7pGxJ7fjan8h97uBtdkZLHv4nOcZUFesMykAmy6cd1vIe41rujylDs+dTkYWsoIuLV71zqMGhufLyew7nSxX5kK+9wkPzxvF6o7HHXKOGr5oGVxV5/S6wmbZ4lGoUeRrYaYPIEnkhKDlikug6gXngK1Xrr7qd4pRLW2p2LRaYYk5wdlI3DucQuDbu1u6393Rv7AL0ZGVcQm2qWOMUiLT2V8VK4iy6lenFCX4zck623fOxs7y1EsyVyV0DIV RWXQODN9J HzVXQfBOrO7zY/91W8PwAYOy0hbw7uT/ZzKTMzGsEZN6ftGct5K/GiwoRyA/RV9edo1ghsNjjyuMp3IvGitp+IKPIZ1D+I9uZVygclePhSlxPZ4ceasZEExxyPNCVyvH1GJ3gMKW8WX2nuIU1ODESUcnRz40IMIFrnzgFpk//xzhoX7jk/90lBCntvb2xVaEk7+YKS2791ePmt+aydoaeYBiuR8lj8kpm9gTBQPtIFG6igBIHfP6Qh/hrg23ZIQ15CMBxD7ZlJCpxPzD+g9/ZJYj2iaiONOecN2F+pI07cxmWYbl3z6FhBysQAcF5KU10GjCjdoVyGBnvLAWlA8/PIbcTFvFAMNq/r8I2RXRRvZK1f+WYAzuvYkQ6FvNxTvyBZ5W3ywg0UTOIXhJYSxj3fhmT7S57PWgsLQQc2GCgspwsacQFtcD9FJNydvCyPi5eBt+OHZ8gjw+MJs8pHyK6Rs/Hwr62TPnwwNizTTe+dWrWwSdlYNFRnG5MhCVw4dfKo5rzCtABN3H7qpUGt94/DeiGKPm5dVmZUYZk3wv4wQfxsn5VlKeZxeowwql3KgYdyyHxYVWZSmFi87roxYAdFz+UAZtxnWN8YejkwQKYAcbdCZhLllzRJX/bqtCgtfCgl+coeP7OSR6eqP+YPlE5RoXrKEAz544jyLRUcbw6iiIeLTozHiTwIubRji0bxJybFr48ePKsDyIW2xpY7YjpRXVc2xOOzJE+ZXbymD/8LSdR42c0nNBW+sIgGP0raVpLATxr35bj9B+vh37oTnVEN4JyYgrVvhjlhlErnaLFIZ0G2U73tjiJD/361q62PPBC4jWeDHNK5VnNe4pPIczsYEwwQTh2EtAtpn0CCKn179HRGl5mlj9LhX3JzaZPGEmDPzS0JfiU15YxlAlgrG35x5mahZcc/oHjZyZc7XVqwlPk0GCdAGhfrnRwcedDwVsGGvNg49ciqdCjPREKknXMqFO+KAq+w 2kePK+OMi 3+rKzgWhurgI/hvpb+ucwhF5KpraIfJdzoTiwWYnxSGww2EJRXq/0ozIyQB9DZmOCD5tcHnKFjCjudgtiIbdBLmzxeNwG3SgDqPkkn31KK9jobWO5PGjCPUc6AvUD4GSYhw9En4xkRbsbbRztGCrXfpa0NpMysbo71YruK1gc9dccnwdSxTDZZEoxH8FqR6hUt5PAAxLi30UX5vqq9gXObzmlExIgeopyU2XkMIaa/HtAKPpCrZpeFQcbDC+bfos1vYUnGfVennTaFch47rWARdgLI1dGqq88lrJhfzKhS+ZWKHMDbdKs5OgNmvIt5kTWpbeie4qPW2volholu5wrmBz9Tpuhx7gwg/Zp3PeLCoPkvXCRAqQQKtZsnP+xKVW9+cugIN4GKLf60DbK897RRJcTP14nRo+tgYfdR2gKgZaiPNGXjz7wFUK7ApxSPEF//LBoLOOwSURVk4ckpPbam5M5KZydcAMRTxHbNUXlTPpcTCd/XkU0A/hsqVMvYBru2dcS0I9CQ4tfb8I2OTIZ2webSvgw0UjZmf+LHVRWiIhY+hMJ5aVpoLa3sVm22j9Yq+ZYIm+QbrRjJFBejzjeMgC8vJiL6hBgeEQDmInnpnYmR2AW6ZTjfNyyGTwwSCN9IqvJ5frJ9GAFv9PDnY78/tZuymXzzVaMxQPSqYsw+EXPTbn3onlJCoOUClG41s/kdwqebFguxUSm6MKZiEqirmY8VCalLF/W++jtQZbIeL8atplGe8A4R8dxIE25ArF3XXNykuGZQoJdlSZC/ZgNv6usBFUzZEuyB/luTkMW0V9dGO2otxR3xSYAR5d+mAzZsllaH/fOPD/904LijaO1+K8REwr3uUNe8hDZaErCTbnL09feZISe6+NykTw5runFqbiOlgGP6qvjc/qFLJy65LiQMj1+fWaz87UkshQH4nqOOROLFRP7HbeJI9UcXXoRQ2e/l2iDC5gDaM7xmmA7HE91vLD4X CT6W5obbS C5t9COUSU88UubAzXX+DjFtRL/e0E94/nfpKiFDsRlWJJwKIFybBqezGksdmU21VEh/Z7vzNRvlmAAsz6vepof4cNL4PkHOhn8BSnFI6wDZahPj9WzIZ7ePeUkz5NpTdYfqX6VcHzANAgiygeLx8EaT9dCaOPj3PEGU/QkCcFKFcY1l8LGGUUW8Rudje0MRarcRh+ms51nwuoCAB5Gr+73GYb+2Ir3DYQme3ym0zGfsqTl8gR707/lvdxgVP3ShqSwvD6tr0rgd1r5pG8BESQbak9bFdq6cNZpTLVQ3/AsOd7FBdlWlPCE6I9eU70NNQy3iKxJljVb//5xrcjEDa9ulQc=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </saml2:EncryptedAssertion> </saml2p:Response> 11:09:55.379 - INFO [Shibboleth-Audit:1028] - 20170502T090955Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ni2j9u3i4d749ask9434jsgon0i9g7u2|cloud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3b1e03d6935882d3eb5d3f9242fb1426|fabrice.pollet|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,transientId,|_9d5c99cfc524cd833e5e19406c95538e|| Here are the CloudStack logs: 2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===START=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json 2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Session cookie is marked secure! 2017-05-02 10:10:10,735 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Sending SAMLRequest id=mdp1ikdn2elvck5uilfbs266ahop200v 2017-05-02 10:10:10,903 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===END=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json Here is the error in the browser: https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso : <loginresponse cloud-stack-version="4.9.2.0"><errorcode>531</errorcode><errortext>Received SAML response for a SSO request that we may not have made or has expired, please try logging in again</errortext></loginresponse> Thank you again for your time. Le 28/04/2017 11:23, Rohit Yadav a écrit : Hi Fabrice, I looked at the IdP XML, with the SAML2 plugin enabled/configured in CloudStack when users click on login they will be redirected to https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO (with a saml token). After this, I'm not sure how your setup/IdP should behave on handling the redirection or use of the REMOTE_USER environment variable. A sort of a hack you can try is to replace the SSO URL in your xml file (saved in /etc/cloudstack/management/) to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword and see if that works for you. Regards. [email protected]<mailto:[email protected]> www.shapeblue.com<http://www.shapeblue.com> @shapeblue ________________________________ From: Fabrice Pollet <[email protected]><mailto:[email protected]> Sent: 27 April 2017 14:30:53 To: Rohit Yadav; [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: Re: Shibboleth and CloudStack I tried your solution to save the IdP metadata in file /etc/cloudstack/management/idp-metadata.xml and I found my IdP in the selection proposed by CloudStack. In any case it shows me the possibility of adding other IdP and that is very good. However, I come back to the same situation. My Cloud refers to the native authentication of my IdP instead of the SSO-CAS. I specify that my IdP has been working since 2015 with the Federation RENATER and that its external services are well redirected to our SSO-CAS. Maybe a REMOTE_USER environment variable problem between the SP and the IdP? Le 27/04/2017 09:10, Fabrice Pollet a écrit : Hello, The IdP metadata can also be read at this public URL https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth. The SP metadata is not public at the moment (see attached). For me the redirection should be done towards https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword. My IdP server has the SP metadata (the "backingFile" is filled automatically). I will try your workaround. I would like to inform you and thank you in advance. Regards, Le 26/04/2017 17:29, Rohit Yadav a écrit : Hi Fabrice, I could not open the URLs (they are not public) so cannot verify the XML metadata. The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect binding only. If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be one of the allowed SSO http-redirect based endpoints. You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata";) added/enabled; you can download and save the IdP metadata (make any URL modification that you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without the quotes). Then, restart the mgmt server(s), it will read the metadata from this file location instead of the URL. The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation it will retrieve and list all the available SSO site, for example search for CAFe saml federation). Regards. ________________________________ From: Fabrice Pollet <[email protected]><mailto:[email protected]> Sent: 26 April 2017 17:31:46 To: [email protected]<mailto:[email protected]> Subject: Shibboleth and CloudStack Hello, I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0 as a service provider (SP) to our own identity provider Shibboleth 2.4.4 (IdP - Authentication Service and Authorization based on XML). I have completed the following CloudStack SAML2 settings: saml2.append.idpdomain = false saml2.default.idpid = néant saml2.enabled = true saml2.idp.metadata.url = http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client saml2.sigalg = SHA256 saml2.sp.id = cloud.etrs.terre.defense.gouv.fr saml2.sp.slo.url = https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo> saml2.sp.sso.url = https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso saml2.user.attribute = uid But the URL SSO-SAML2 https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso returns me to the native authentication URL of our IdP https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword instead of the SSO-CAS delegation URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. The meta data of my SP are listed in my IdP (from the configuration file relying-party.xml): <!-- Metadonnées de ETRS CloudStack --> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"; backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml"> </metadata:MetadataProvider> Thank you for your help. -- IEF MINDEF POLLET Fabrice TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA COMSIC BP18 35998 RENNES 9 France 821 354 34 82 / 02 99 84 34 82 [email protected]<mailto:[email protected]> (Internet) [email protected]<mailto:[email protected]> (Intradef) [email protected]<mailto:[email protected]> www.shapeblue.com<http://www.shapeblue.com> @shapeblue [email protected] www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
