enabling SAML2 plugin Cloudstack 4.5.1

[Artjoms Petrovs <ar...@telia.lv>]

Hello!

How SAML plugin can be configured to SSO to the Cloudstack Instance.

I've set up my Demo stand, according to this article: http://cloudstack-administration.readthedocs.org/en/latest/accounts.html#using-a-saml-2-0-identity-provider-for-user-authentication

The issue is that Identity provider itself initializes the auth process. Like there is a button "Login in Cloudstack" and after pressing it - user gets redirected to http://***/client ( Assertion Consume ) with UserID, given by system

Is such scenario even possible?

Best Regards,
Artjoms Petrovs

[cid:image001.jpg@01D0D68A.ED5ADBD0]<http://www.telia.lv/>
Artjoms Petrovs
System Analyst / Programmer

Telia Latvija, Ltd. | Lielvardes street 8a, Riga, Latvia, LV-1006
Ph.:   +371 67082144
Mob. +371 27498048
artjoms.petrovs@telia.lv | telia.lv

This email (and any attachements or hyperlinks within it) may contain information that is confidential, legally  privileged or otherwise protected from disclosure.
If you are not the intended recipient of this email, you are not entitled to use, disclose, distribute, copy, print, disseminate or rely on this email in any way. If you have received this email in error, please notify the sender immediately by or email and destroy it, and all copies of it.

Re: enabling SAML2 plugin Cloudstack 4.5.1

[Rohit Yadav <ro...@shapeblue.com>]

On 14-Aug-2015, at 2:51 pm, Artjoms Petrovs <ar...@telia.lv>> wrote:


I’ve set up my Demo stand, according to this article: http://cloudstack-administration.readthedocs.org/en/latest/accounts.html#using-a-saml-2-0-identity-provider-for-user-authentication

The issue is that Identity provider itself initializes the auth process. Like there is a button “Login in Cloudstack” and after pressing it – user gets redirected to http://***/client ( Assertion Consume ) with UserID, given by system

Is such scenario even possible?

The current SAML plugin only supports SP initiated SSO due to strict security checking and token verification. The way it works is that the SAML SP implementation would redirect to the IDP with an SAML Authn request using HTTP-POST.

What IDP server are you using, I think if you need IDP initiated sign-on the plugin can be modified to support that.

Regards,
Rohit Yadav
Software Architect, ShapeBlue


[cid:9DD97B41-04C5-45F0-92A7-951F3E962F7A]


M. +91 88 262 30892 | rohit.yadav@shapeblue.com<ma...@shapeblue.com>
Blog: bhaisaab.org<http://bhaisaab.org> | Twitter: @_bhaisaab




Find out more about ShapeBlue and our range of CloudStack related services

IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.