You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Rohit Yadav (JIRA)" <ji...@apache.org> on 2015/05/18 09:59:00 UTC

[jira] [Updated] (CLOUDSTACK-8462) SAML: Auth plugin should handle authentication, admins to authorize users before they can authenticated

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-8462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rohit Yadav updated CLOUDSTACK-8462:
------------------------------------
    Summary: SAML: Auth plugin should handle authentication, admins to authorize users before they can authenticated  (was: SAML: Auth plugin should handle authorization and disallow users who are not allowed)

> SAML: Auth plugin should handle authentication, admins to authorize users before they can authenticated
> -------------------------------------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8462
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8462
>             Project: CloudStack
>          Issue Type: Sub-task
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: SAML
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>            Priority: Critical
>             Fix For: Future, 4.6.0, 4.5.2
>
>
> At the time of writing the auth plugin, I did not consider many security issues. The current SAML2 auth plugin would automatically create users and allow them inside CloudStack which in production could cause a severe security issue, especially in environment with public IdP server infra such as large institutions. Therefore, the idea is to let admin add/import users manually or from LDAP and then allow them to be SAML authenticated. This delegates the security issue and account creation/handling to the admin or some other business layer/system.
> The following scenario would be supported:
> - Admin adds a user either manually or importing from LDAP etc.
> - Admin can then specify (multi-select or through API) a list of  one or more users with their username (or any unique ID) to be allowed to be SAML authenticated
> Assumption here is that every SAML authenticated user would have a unique username mapped into CloudStack. Edge case handling: In case multiple users exist in CloudStack with the same username (could be across domains) and if the admin enables SAML authentication for all those user account, then the plugin would assume all the users as the same and allowed by the SAML authenticated user. Then, upon log in, the user should be able to select/switch between all such accounts under any of the domains.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)