You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Rohit Yadav <ro...@shapeblue.com> on 2014/07/16 12:33:41 UTC
[DISCUSS] [PROPOSAL] SAML2 plugin for SSO/SLO in CloudStack
Hi guys,
There has been a lot of interest [4] around auth related problems in
CloudStach such as -- SSO/SLO (single sign on / log out), 2-factor
authentication, role based network/IP/CIDR checking etc.
A lot of challenge in implementing them in CloudStack is because of two
divergent authentication mechanisms (one that is
username/password/cookie based, other which is api/secret keys or
hmac/signature based).
This thread tries to kickstart a project in that direction which will in
short term try to implement a SAML2 plugin and in long term have a much
better authentication framework.
Let me start by briefly explaining what SAML2 [1] is -- it's an XML
based authentication and authorization protocol widely used to implement
single sign on service. Having a SAML plugin in ACS will give users and
organization a new mode of authentication who already have such an
infrastructure in place.
A SAML based SSO infrastructure consists of three entities - user-agent
(UA), service provider (SP) and identity provider (IdP). The UA is the
user/browser, the SP is the application that the UA is accessing (i.e.
Apache CloudStack UI) and the IdP is the identity service and does
authentication and authorization, management of users among other
things. IdP could be backed by LDAP, AD etc. For the scope of this
feature, we only need to implement SAML SP plugin in CloudStack and use
any free SAML 2.0 compliant IdP server [5] for testing.
For this I researched and explored ways of implementing that and have a
first draft which needs to be discussed and iterated in the ACS dev
community.
After comparing many opensource SAML 2.0 implementations, their
security and stability, we'll use OpenSAML [2] which is the most stable
and widely used Java implementation. Since within CloudStack, we've been
using Spring (for DI etc.) I explored and found Spring security SAML
extension [3] which fits perfectly and it too uses OpenSAML.
I also have a working proof-of-concept general implementation using the
above based on which I've put together a design document draft on this
feature for your review:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/SAML+2.0+Plugin
There are some complex stories/cases around security and user management
in CloudStack, some of which are listed under 'open ended questions' in
the draft above most of which I'm not sure how to address.
After first round of discussion, I'll go ahead with a basic
implementation of this feature. The second phase will address broader
use cases.
Comments, questions, suggestions?
References:
[1] http://en.wikipedia.org/wiki/SAML_2.0
[2] https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
[3] http://projects.spring.io/spring-security-saml
[4] John Burwell's talk on SSO in CloudStack:
https://www.youtube.com/watch?v=kCR0TzrfCOM
[5] https://idp.ssocircle.com/sso/UI/Login
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 88 262 30892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [DISCUSS] [PROPOSAL] SAML2 plugin for SSO/SLO in CloudStack
Posted by Min Chen <mi...@citrix.com>.
+1. Very well-written FS and email, Rohit. Those open questions are very
valid, I added a little comment in your FS regarding the flow.
Thanks
-min
On 7/20/14 8:35 AM, "Rohit Yadav" <ro...@shapeblue.com> wrote:
>Hi,
>
>I'm assuming no one objects the proposal and the spec, I'll move forward
>with the first implementation starting next week but will be mostly
>offline till 28th July.
>
>Regards.
>
>Rohit Yadav wrote:
>> Hi guys,
>>
>> There has been a lot of interest [4] around auth related problems in
>> CloudStach such as -- SSO/SLO (single sign on / log out), 2-factor
>> authentication, role based network/IP/CIDR checking etc.
>>
>> A lot of challenge in implementing them in CloudStack is because of two
>> divergent authentication mechanisms (one that is
>> username/password/cookie based, other which is api/secret keys or
>> hmac/signature based).
>>
>> This thread tries to kickstart a project in that direction which will in
>> short term try to implement a SAML2 plugin and in long term have a much
>> better authentication framework.
>>
>> Let me start by briefly explaining what SAML2 [1] is -- it's an XML
>> based authentication and authorization protocol widely used to implement
>> single sign on service. Having a SAML plugin in ACS will give users and
>> organization a new mode of authentication who already have such an
>> infrastructure in place.
>>
>> A SAML based SSO infrastructure consists of three entities - user-agent
>> (UA), service provider (SP) and identity provider (IdP). The UA is the
>> user/browser, the SP is the application that the UA is accessing (i.e.
>> Apache CloudStack UI) and the IdP is the identity service and does
>> authentication and authorization, management of users among other
>> things. IdP could be backed by LDAP, AD etc. For the scope of this
>> feature, we only need to implement SAML SP plugin in CloudStack and use
>> any free SAML 2.0 compliant IdP server [5] for testing.
>>
>> For this I researched and explored ways of implementing that and have a
>> first draft which needs to be discussed and iterated in the ACS dev
>> community.
>>
>> After comparing many opensource SAML 2.0 implementations, their
>> security and stability, we'll use OpenSAML [2] which is the most stable
>> and widely used Java implementation. Since within CloudStack, we've been
>> using Spring (for DI etc.) I explored and found Spring security SAML
>> extension [3] which fits perfectly and it too uses OpenSAML.
>>
>> I also have a working proof-of-concept general implementation using the
>> above based on which I've put together a design document draft on this
>> feature for your review:
>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SAML+2.0+Plugin
>>
>> There are some complex stories/cases around security and user management
>> in CloudStack, some of which are listed under 'open ended questions' in
>> the draft above most of which I'm not sure how to address.
>>
>> After first round of discussion, I'll go ahead with a basic
>> implementation of this feature. The second phase will address broader
>> use cases.
>>
>> Comments, questions, suggestions?
>>
>> References:
>>
>> [1] http://en.wikipedia.org/wiki/SAML_2.0
>> [2] https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
>> [3] http://projects.spring.io/spring-security-saml
>> [4] John Burwell's talk on SSO in CloudStack:
>> https://www.youtube.com/watch?v=kCR0TzrfCOM
>> [5] https://idp.ssocircle.com/sso/UI/Login
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related
>>services
>>
>> IaaS Cloud Design &
>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is addressed.
>> Any views or opinions expressed are solely those of the author and do
>> not necessarily represent those of Shape Blue Ltd or related companies.
>> If you are not the intended recipient of this email, you must neither
>> take any action based upon its contents, nor copy or show it to anyone.
>> Please contact the sender if you believe you have received this email in
>> error. Shape Blue Ltd is a company incorporated in England & Wales.
>> ShapeBlue Services India LLP is a company incorporated in India and is
>> operated under license from Shape Blue Ltd. Shape Blue Brasil
>> Consultoria Ltda is a company incorporated in Brasil and is operated
>> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>> registered by The Republic of South Africa and is traded under license
>> from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
>--
>Rohit Yadav
>Software Architect, ShapeBlue
>M. +41 779015219 | rohit.yadav@shapeblue.com
>Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
>Find out more about ShapeBlue and our range of CloudStack related services
>
>IaaS Cloud Design &
>Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>CloudStack Infrastructure
>Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>CloudStack Bootcamp Training
>Courses<http://shapeblue.com/cloudstack-training/>
>
>This email and any attachments to it may be confidential and are intended
>solely for the use of the individual to whom it is addressed. Any views
>or opinions expressed are solely those of the author and do not
>necessarily represent those of Shape Blue Ltd or related companies. If
>you are not the intended recipient of this email, you must neither take
>any action based upon its contents, nor copy or show it to anyone. Please
>contact the sender if you believe you have received this email in error.
>Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue
>Services India LLP is a company incorporated in India and is operated
>under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is
>a company incorporated in Brasil and is operated under license from Shape
>Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of
>South Africa and is traded under license from Shape Blue Ltd. ShapeBlue
>is a registered trademark.
Re: [DISCUSS] [PROPOSAL] SAML2 plugin for SSO/SLO in CloudStack
Posted by ilya musayev <il...@gmail.com>.
Rohit,
definite +1
Thanks,
ilya
On 7/20/14, 8:35 AM, Rohit Yadav wrote:
> Hi,
>
> I'm assuming no one objects the proposal and the spec, I'll move forward
> with the first implementation starting next week but will be mostly
> offline till 28th July.
>
> Regards.
>
> Rohit Yadav wrote:
>> Hi guys,
>>
>> There has been a lot of interest [4] around auth related problems in
>> CloudStach such as -- SSO/SLO (single sign on / log out), 2-factor
>> authentication, role based network/IP/CIDR checking etc.
>>
>> A lot of challenge in implementing them in CloudStack is because of two
>> divergent authentication mechanisms (one that is
>> username/password/cookie based, other which is api/secret keys or
>> hmac/signature based).
>>
>> This thread tries to kickstart a project in that direction which will in
>> short term try to implement a SAML2 plugin and in long term have a much
>> better authentication framework.
>>
>> Let me start by briefly explaining what SAML2 [1] is -- it's an XML
>> based authentication and authorization protocol widely used to implement
>> single sign on service. Having a SAML plugin in ACS will give users and
>> organization a new mode of authentication who already have such an
>> infrastructure in place.
>>
>> A SAML based SSO infrastructure consists of three entities - user-agent
>> (UA), service provider (SP) and identity provider (IdP). The UA is the
>> user/browser, the SP is the application that the UA is accessing (i.e.
>> Apache CloudStack UI) and the IdP is the identity service and does
>> authentication and authorization, management of users among other
>> things. IdP could be backed by LDAP, AD etc. For the scope of this
>> feature, we only need to implement SAML SP plugin in CloudStack and use
>> any free SAML 2.0 compliant IdP server [5] for testing.
>>
>> For this I researched and explored ways of implementing that and have a
>> first draft which needs to be discussed and iterated in the ACS dev
>> community.
>>
>> After comparing many opensource SAML 2.0 implementations, their
>> security and stability, we'll use OpenSAML [2] which is the most stable
>> and widely used Java implementation. Since within CloudStack, we've been
>> using Spring (for DI etc.) I explored and found Spring security SAML
>> extension [3] which fits perfectly and it too uses OpenSAML.
>>
>> I also have a working proof-of-concept general implementation using the
>> above based on which I've put together a design document draft on this
>> feature for your review:
>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SAML+2.0+Plugin
>>
>> There are some complex stories/cases around security and user management
>> in CloudStack, some of which are listed under 'open ended questions' in
>> the draft above most of which I'm not sure how to address.
>>
>> After first round of discussion, I'll go ahead with a basic
>> implementation of this feature. The second phase will address broader
>> use cases.
>>
>> Comments, questions, suggestions?
>>
>> References:
>>
>> [1] http://en.wikipedia.org/wiki/SAML_2.0
>> [2] https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
>> [3] http://projects.spring.io/spring-security-saml
>> [4] John Burwell's talk on SSO in CloudStack:
>> https://www.youtube.com/watch?v=kCR0TzrfCOM
>> [5] https://idp.ssocircle.com/sso/UI/Login
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related
>> services
>>
>> IaaS Cloud Design &
>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is addressed.
>> Any views or opinions expressed are solely those of the author and do
>> not necessarily represent those of Shape Blue Ltd or related companies.
>> If you are not the intended recipient of this email, you must neither
>> take any action based upon its contents, nor copy or show it to anyone.
>> Please contact the sender if you believe you have received this email in
>> error. Shape Blue Ltd is a company incorporated in England & Wales.
>> ShapeBlue Services India LLP is a company incorporated in India and is
>> operated under license from Shape Blue Ltd. Shape Blue Brasil
>> Consultoria Ltda is a company incorporated in Brasil and is operated
>> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>> registered by The Republic of South Africa and is traded under license
>> from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
> --
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +41 779015219 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
> Find out more about ShapeBlue and our range of CloudStack related
> services
>
> IaaS Cloud Design &
> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training
> Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed.
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Shape Blue Ltd or related
> companies. If you are not the intended recipient of this email, you
> must neither take any action based upon its contents, nor copy or show
> it to anyone. Please contact the sender if you believe you have
> received this email in error. Shape Blue Ltd is a company incorporated
> in England & Wales. ShapeBlue Services India LLP is a company
> incorporated in India and is operated under license from Shape Blue
> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in
> Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA
> Pty Ltd is a company registered by The Republic of South Africa and is
> traded under license from Shape Blue Ltd. ShapeBlue is a registered
> trademark.
Re: [DISCUSS] [PROPOSAL] SAML2 plugin for SSO/SLO in CloudStack
Posted by Sebastien Goasguen <ru...@gmail.com>.
> On 20 Jul 2014, at 17:35, Rohit Yadav <ro...@shapeblue.com> wrote:
>
> Hi,
>
> I'm assuming no one objects the proposal and the spec, I'll move forward
> with the first implementation starting next week but will be mostly
> offline till 28th July.
>
+1 from me , most definitely.
Your email was clear, thanks for putting up the design doc on the wiki. I agree with a first step to implement an SP.
-sebastien
> Regards.
>
> Rohit Yadav wrote:
>> Hi guys,
>>
>> There has been a lot of interest [4] around auth related problems in
>> CloudStach such as -- SSO/SLO (single sign on / log out), 2-factor
>> authentication, role based network/IP/CIDR checking etc.
>>
>> A lot of challenge in implementing them in CloudStack is because of two
>> divergent authentication mechanisms (one that is
>> username/password/cookie based, other which is api/secret keys or
>> hmac/signature based).
>>
>> This thread tries to kickstart a project in that direction which will in
>> short term try to implement a SAML2 plugin and in long term have a much
>> better authentication framework.
>>
>> Let me start by briefly explaining what SAML2 [1] is -- it's an XML
>> based authentication and authorization protocol widely used to implement
>> single sign on service. Having a SAML plugin in ACS will give users and
>> organization a new mode of authentication who already have such an
>> infrastructure in place.
>>
>> A SAML based SSO infrastructure consists of three entities - user-agent
>> (UA), service provider (SP) and identity provider (IdP). The UA is the
>> user/browser, the SP is the application that the UA is accessing (i.e.
>> Apache CloudStack UI) and the IdP is the identity service and does
>> authentication and authorization, management of users among other
>> things. IdP could be backed by LDAP, AD etc. For the scope of this
>> feature, we only need to implement SAML SP plugin in CloudStack and use
>> any free SAML 2.0 compliant IdP server [5] for testing.
>>
>> For this I researched and explored ways of implementing that and have a
>> first draft which needs to be discussed and iterated in the ACS dev
>> community.
>>
>> After comparing many opensource SAML 2.0 implementations, their
>> security and stability, we'll use OpenSAML [2] which is the most stable
>> and widely used Java implementation. Since within CloudStack, we've been
>> using Spring (for DI etc.) I explored and found Spring security SAML
>> extension [3] which fits perfectly and it too uses OpenSAML.
>>
>> I also have a working proof-of-concept general implementation using the
>> above based on which I've put together a design document draft on this
>> feature for your review:
>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SAML+2.0+Plugin
>>
>> There are some complex stories/cases around security and user management
>> in CloudStack, some of which are listed under 'open ended questions' in
>> the draft above most of which I'm not sure how to address.
>>
>> After first round of discussion, I'll go ahead with a basic
>> implementation of this feature. The second phase will address broader
>> use cases.
>>
>> Comments, questions, suggestions?
>>
>> References:
>>
>> [1] http://en.wikipedia.org/wiki/SAML_2.0
>> [2] https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
>> [3] http://projects.spring.io/spring-security-saml
>> [4] John Burwell's talk on SSO in CloudStack:
>> https://www.youtube.com/watch?v=kCR0TzrfCOM
>> [5] https://idp.ssocircle.com/sso/UI/Login
>>
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
>> Blog: bhaisaab.org | Twitter: @_bhaisaab
>>
>>
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design &
>> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Infrastructure
>> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training
>> Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are
>> intended solely for the use of the individual to whom it is addressed.
>> Any views or opinions expressed are solely those of the author and do
>> not necessarily represent those of Shape Blue Ltd or related companies.
>> If you are not the intended recipient of this email, you must neither
>> take any action based upon its contents, nor copy or show it to anyone.
>> Please contact the sender if you believe you have received this email in
>> error. Shape Blue Ltd is a company incorporated in England & Wales.
>> ShapeBlue Services India LLP is a company incorporated in India and is
>> operated under license from Shape Blue Ltd. Shape Blue Brasil
>> Consultoria Ltda is a company incorporated in Brasil and is operated
>> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
>> registered by The Republic of South Africa and is traded under license
>> from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
> --
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +41 779015219 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: [DISCUSS] [PROPOSAL] SAML2 plugin for SSO/SLO in CloudStack
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi,
I'm assuming no one objects the proposal and the spec, I'll move forward
with the first implementation starting next week but will be mostly
offline till 28th July.
Regards.
Rohit Yadav wrote:
> Hi guys,
>
> There has been a lot of interest [4] around auth related problems in
> CloudStach such as -- SSO/SLO (single sign on / log out), 2-factor
> authentication, role based network/IP/CIDR checking etc.
>
> A lot of challenge in implementing them in CloudStack is because of two
> divergent authentication mechanisms (one that is
> username/password/cookie based, other which is api/secret keys or
> hmac/signature based).
>
> This thread tries to kickstart a project in that direction which will in
> short term try to implement a SAML2 plugin and in long term have a much
> better authentication framework.
>
> Let me start by briefly explaining what SAML2 [1] is -- it's an XML
> based authentication and authorization protocol widely used to implement
> single sign on service. Having a SAML plugin in ACS will give users and
> organization a new mode of authentication who already have such an
> infrastructure in place.
>
> A SAML based SSO infrastructure consists of three entities - user-agent
> (UA), service provider (SP) and identity provider (IdP). The UA is the
> user/browser, the SP is the application that the UA is accessing (i.e.
> Apache CloudStack UI) and the IdP is the identity service and does
> authentication and authorization, management of users among other
> things. IdP could be backed by LDAP, AD etc. For the scope of this
> feature, we only need to implement SAML SP plugin in CloudStack and use
> any free SAML 2.0 compliant IdP server [5] for testing.
>
> For this I researched and explored ways of implementing that and have a
> first draft which needs to be discussed and iterated in the ACS dev
> community.
>
> After comparing many opensource SAML 2.0 implementations, their
> security and stability, we'll use OpenSAML [2] which is the most stable
> and widely used Java implementation. Since within CloudStack, we've been
> using Spring (for DI etc.) I explored and found Spring security SAML
> extension [3] which fits perfectly and it too uses OpenSAML.
>
> I also have a working proof-of-concept general implementation using the
> above based on which I've put together a design document draft on this
> feature for your review:
>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SAML+2.0+Plugin
>
> There are some complex stories/cases around security and user management
> in CloudStack, some of which are listed under 'open ended questions' in
> the draft above most of which I'm not sure how to address.
>
> After first round of discussion, I'll go ahead with a basic
> implementation of this feature. The second phase will address broader
> use cases.
>
> Comments, questions, suggestions?
>
> References:
>
> [1] http://en.wikipedia.org/wiki/SAML_2.0
> [2] https://wiki.shibboleth.net/confluence/display/OpenSAML/Home
> [3] http://projects.spring.io/spring-security-saml
> [4] John Burwell's talk on SSO in CloudStack:
> https://www.youtube.com/watch?v=kCR0TzrfCOM
> [5] https://idp.ssocircle.com/sso/UI/Login
>
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 88 262 30892 | rohit.yadav@shapeblue.com
> Blog: bhaisaab.org | Twitter: @_bhaisaab
>
>
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design &
> Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Infrastructure
> Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training
> Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are
> intended solely for the use of the individual to whom it is addressed.
> Any views or opinions expressed are solely those of the author and do
> not necessarily represent those of Shape Blue Ltd or related companies.
> If you are not the intended recipient of this email, you must neither
> take any action based upon its contents, nor copy or show it to anyone.
> Please contact the sender if you believe you have received this email in
> error. Shape Blue Ltd is a company incorporated in England & Wales.
> ShapeBlue Services India LLP is a company incorporated in India and is
> operated under license from Shape Blue Ltd. Shape Blue Brasil
> Consultoria Ltda is a company incorporated in Brasil and is operated
> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
> registered by The Republic of South Africa and is traded under license
> from Shape Blue Ltd. ShapeBlue is a registered trademark.
--
Rohit Yadav
Software Architect, ShapeBlue
M. +41 779015219 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.