You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Antoine Boucher <an...@haltondc.com> on 2022/10/17 13:57:58 UTC
Attribute name mapping issue - Keycloak as idP
Hello,
We need to integrate MFA for the CloudStack admin accounts, after trying Google and ADFS we have landed on using Keycloak.
However, after a week, we can not seem to be able to resolve the below error, Which we assume to be a mapping issue from Keycloak to CloudStack.
<loginresponse cloud-stack-version="4.16.1.0">
<errorcode>531</errorcode>
<errortext>Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.</errortext>
</loginresponse>
We will reward any help that helps us complete the integration.
Regards,
Antoine
Antoine Boucher
AntoineB@haltondc.com
Re: Attribute name mapping issue - Keycloak as idP
Posted by Vladimir Dombrovski <vl...@bso.co>.
Hello Antoine (and others),
We finally managed to get it work, here is a short documentation on
how we got it to work:
First and foremost, get yourself a SAML tracing tool (I'm using
SAML-Tracer browser extension). It's really hard to debug SAML without
proper tools, so I highly encourage you to use one.
Then, on Cloudstack side, you need to:
1. set the user to use SAML (warning this is irreversible, don't lock
yourself out, test it with a dummy user first). See:
apache/cloudstack/issues/6672
2. set the proper saml2.user.attribute (in your case username), but
you could use any of them (we're using email)
3. for testing purposes, lower your saml2.timeout to something
manageable, like 60s
4. keep SIGALG as default (SHA1), it is auto-negotiated during SAML
handshake anyway, so the keycloak value will be used (provided the
algo is implemented on Cloudstack side)
5. saml2.append.idpdomain = false
On Keycloak side, you need to:
1. Register a client: id org.apache.cloudstack (actually this maps to
saml2.sp.id, so replace accordingly), assertion encryption off, name
id persistent (not used as we're using attributes), redirect url
https://[cloudstack_domain]/client/api?command=samlSso
2. Create a mapper on the client. type=User property, property=email,
friendly name=whatever, SAML Attribute Name = (SAML urn:oid value).
Some SAML libs will hardcode the attributes maps, example here
github[dot]com/simplesamlphp/simplesamlphp/blob/master/attributemap/urn2oid.php.
We're using email here, which corresponds to:
urn:oid:1.2.840.113549.1.9.1
3. Create a user inside keycloak with the right email field.
Now select Single sign on, click login, enter your credentials on
Keycloak, then get redirected to Cloudstack. If unsuccessfull, check
the saml trace for POST
https://[cloudstack_domain]/client/api?command=samlSso, the SAML
response should contain your mapped user property like this:
<saml:Attribute FriendlyName="email"
Name="urn:oid:1.2.840.113549.1.9.1"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
>
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string"
>myuser@whatever.com</saml:AttributeValue>
If you don't see it, it means that the attribute wasn't passed
correctly, so check 2. on the keycloak side.
Regards,
Vladimir
Vladimir DOMBROVSKI
Cloud Services engineer
+33 6 07 84 13 95
www.bso.co
On Mon, 17 Oct 2022 at 20:49, Antoine Boucher <an...@haltondc.com> wrote:
>
> Hi Vladimir,
>
> Have you seen this : https://www.mail-archive.com/users@cloudstack.apache.org/msg29759.html ?
>
>
> Antoine Boucher
> AntoineB@haltondc.com
> [o] +1-226-505-9734
> www.haltondc.com
>
> “Data security made simple”
>
>
>
>
>
> Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
>
>
> On Oct 17, 2022, at 11:50 AM, Vladimir Dombrovski <vl...@bso.co> wrote:
>
> Hello Antoine (and others),
>
> We've tried the same integration, and we are stuck on exactly the same
> error message. Not sure how to proceed from there, we are able to
> provide some elements from our setup.
>
> Regards,
>
> Vladimir
>
> On Mon, 17 Oct 2022 at 15:58, Antoine Boucher <an...@haltondc.com> wrote:
>
>
> Hello,
>
> We need to integrate MFA for the CloudStack admin accounts, after trying Google and ADFS we have landed on using Keycloak.
>
> However, after a week, we can not seem to be able to resolve the below error, Which we assume to be a mapping issue from Keycloak to CloudStack.
>
> <loginresponse cloud-stack-version="4.16.1.0">
> <errorcode>531</errorcode>
> <errortext>Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.</errortext>
> </loginresponse>
>
> We will reward any help that helps us complete the integration.
>
> Regards,
> Antoine
>
>
> Antoine Boucher
> AntoineB@haltondc.com
>
>
>
> --
> *CONFIDENTIALITY AND DISCLAIMER NOTICE: *
> This email is intended only for
> the person to whom it is addressed and/or otherwise authorized personnel.
> The information contained herein and attached is confidential. If you are
> not the intended recipient, please be advised that viewing this message and
> any attachments, as well as copying, forwarding, printing, and
> disseminating any information related to this email is prohibited, and that
> you should not take any action based on the content of this email and/or
> its attachments. If you received this message in error, please contact the
> sender and destroy all copies of this email and any attachment. Please note
> that the views and opinions expressed herein are solely those of the author
> and do not necessarily reflect those of the company. While antivirus
> protection tools have been employed, you should check this email and
> attachments for the presence of viruses. No warranties or assurances are
> made in relation to the safety and content of this email and attachments.
> The Company accepts no liability for any damage caused by any virus
> transmitted by or contained in this email and attachments. No liability is
> accepted for any consequences arising from this email.
>
>
> *AVIS DE
> CONFIDENTIALITÉ ET DE NON RESPONSABILITE* :
> Ce courriel, ainsi que toute
> pièce jointe, est confidentiel et peut être protégé par le secret
> professionnel. Si vous n’en êtes pas le destinataire visé, veuillez en
> aviser l’expéditeur immédiatement et le supprimer. Vous ne devez pas le
> copier, ni l’utiliser à quelque fin que ce soit, ni divulguer son contenu à
> qui que ce soit. BSO se réserve le droit de contrôler toute transmission
> qui passe par son réseau. Veuillez noter que les opinions exprimées dans
> cet e-mail sont uniquement celles de l'auteur et ne reflètent pas
> nécessairement celles de la société. Bien que des outils de protection
> antivirus aient été utilisés, vous devez vérifier cet e-mail et les pièces
> jointes pour toute présence de virus. Aucune garantie ou assurance n'est
> donnée concernant la sécurité et le contenu de cet e-mail et de ses pièces
> jointes. La Société décline toute responsabilité pour tout dommage causé
> par tout virus transmis par ou contenu dans cet e-mail et ses pièces
> jointes. Aucune responsabilité n'est acceptée pour les conséquences
> découlant de cet e-mail.
>
>
--
*CONFIDENTIALITY AND DISCLAIMER NOTICE: *
This email is intended only for
the person to whom it is addressed and/or otherwise authorized personnel.
The information contained herein and attached is confidential. If you are
not the intended recipient, please be advised that viewing this message and
any attachments, as well as copying, forwarding, printing, and
disseminating any information related to this email is prohibited, and that
you should not take any action based on the content of this email and/or
its attachments. If you received this message in error, please contact the
sender and destroy all copies of this email and any attachment. Please note
that the views and opinions expressed herein are solely those of the author
and do not necessarily reflect those of the company. While antivirus
protection tools have been employed, you should check this email and
attachments for the presence of viruses. No warranties or assurances are
made in relation to the safety and content of this email and attachments.
The Company accepts no liability for any damage caused by any virus
transmitted by or contained in this email and attachments. No liability is
accepted for any consequences arising from this email.
*AVIS DE
CONFIDENTIALITÉ ET DE NON RESPONSABILITE* :
Ce courriel, ainsi que toute
pièce jointe, est confidentiel et peut être protégé par le secret
professionnel. Si vous n’en êtes pas le destinataire visé, veuillez en
aviser l’expéditeur immédiatement et le supprimer. Vous ne devez pas le
copier, ni l’utiliser à quelque fin que ce soit, ni divulguer son contenu à
qui que ce soit. BSO se réserve le droit de contrôler toute transmission
qui passe par son réseau. Veuillez noter que les opinions exprimées dans
cet e-mail sont uniquement celles de l'auteur et ne reflètent pas
nécessairement celles de la société. Bien que des outils de protection
antivirus aient été utilisés, vous devez vérifier cet e-mail et les pièces
jointes pour toute présence de virus. Aucune garantie ou assurance n'est
donnée concernant la sécurité et le contenu de cet e-mail et de ses pièces
jointes. La Société décline toute responsabilité pour tout dommage causé
par tout virus transmis par ou contenu dans cet e-mail et ses pièces
jointes. Aucune responsabilité n'est acceptée pour les conséquences
découlant de cet e-mail.
Re: Attribute name mapping issue - Keycloak as idP
Posted by Antoine Boucher <an...@haltondc.com>.
Hi Vladimir,
Have you seen this : https://www.mail-archive.com/users@cloudstack.apache.org/msg29759.html <https://www.mail-archive.com/users@cloudstack.apache.org/msg29759.html> ?
Antoine Boucher
AntoineB@haltondc.com
[o] +1-226-505-9734
www.haltondc.com
“Data security made simple”
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
> On Oct 17, 2022, at 11:50 AM, Vladimir Dombrovski <vl...@bso.co> wrote:
>
> Hello Antoine (and others),
>
> We've tried the same integration, and we are stuck on exactly the same
> error message. Not sure how to proceed from there, we are able to
> provide some elements from our setup.
>
> Regards,
>
> Vladimir
>
> On Mon, 17 Oct 2022 at 15:58, Antoine Boucher <an...@haltondc.com> wrote:
>>
>> Hello,
>>
>> We need to integrate MFA for the CloudStack admin accounts, after trying Google and ADFS we have landed on using Keycloak.
>>
>> However, after a week, we can not seem to be able to resolve the below error, Which we assume to be a mapping issue from Keycloak to CloudStack.
>>
>> <loginresponse cloud-stack-version="4.16.1.0">
>> <errorcode>531</errorcode>
>> <errortext>Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.</errortext>
>> </loginresponse>
>>
>> We will reward any help that helps us complete the integration.
>>
>> Regards,
>> Antoine
>>
>>
>> Antoine Boucher
>> AntoineB@haltondc.com
>>
>>
>
> --
> *CONFIDENTIALITY AND DISCLAIMER NOTICE: *
> This email is intended only for
> the person to whom it is addressed and/or otherwise authorized personnel.
> The information contained herein and attached is confidential. If you are
> not the intended recipient, please be advised that viewing this message and
> any attachments, as well as copying, forwarding, printing, and
> disseminating any information related to this email is prohibited, and that
> you should not take any action based on the content of this email and/or
> its attachments. If you received this message in error, please contact the
> sender and destroy all copies of this email and any attachment. Please note
> that the views and opinions expressed herein are solely those of the author
> and do not necessarily reflect those of the company. While antivirus
> protection tools have been employed, you should check this email and
> attachments for the presence of viruses. No warranties or assurances are
> made in relation to the safety and content of this email and attachments.
> The Company accepts no liability for any damage caused by any virus
> transmitted by or contained in this email and attachments. No liability is
> accepted for any consequences arising from this email.
>
>
> *AVIS DE
> CONFIDENTIALITÉ ET DE NON RESPONSABILITE* :
> Ce courriel, ainsi que toute
> pièce jointe, est confidentiel et peut être protégé par le secret
> professionnel. Si vous n’en êtes pas le destinataire visé, veuillez en
> aviser l’expéditeur immédiatement et le supprimer. Vous ne devez pas le
> copier, ni l’utiliser à quelque fin que ce soit, ni divulguer son contenu à
> qui que ce soit. BSO se réserve le droit de contrôler toute transmission
> qui passe par son réseau. Veuillez noter que les opinions exprimées dans
> cet e-mail sont uniquement celles de l'auteur et ne reflètent pas
> nécessairement celles de la société. Bien que des outils de protection
> antivirus aient été utilisés, vous devez vérifier cet e-mail et les pièces
> jointes pour toute présence de virus. Aucune garantie ou assurance n'est
> donnée concernant la sécurité et le contenu de cet e-mail et de ses pièces
> jointes. La Société décline toute responsabilité pour tout dommage causé
> par tout virus transmis par ou contenu dans cet e-mail et ses pièces
> jointes. Aucune responsabilité n'est acceptée pour les conséquences
> découlant de cet e-mail.
Re: Attribute name mapping issue - Keycloak as idP
Posted by Vladimir Dombrovski <vl...@bso.co>.
Hello Antoine (and others),
We've tried the same integration, and we are stuck on exactly the same
error message. Not sure how to proceed from there, we are able to
provide some elements from our setup.
Regards,
Vladimir
On Mon, 17 Oct 2022 at 15:58, Antoine Boucher <an...@haltondc.com> wrote:
>
> Hello,
>
> We need to integrate MFA for the CloudStack admin accounts, after trying Google and ADFS we have landed on using Keycloak.
>
> However, after a week, we can not seem to be able to resolve the below error, Which we assume to be a mapping issue from Keycloak to CloudStack.
>
> <loginresponse cloud-stack-version="4.16.1.0">
> <errorcode>531</errorcode>
> <errortext>Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.</errortext>
> </loginresponse>
>
> We will reward any help that helps us complete the integration.
>
> Regards,
> Antoine
>
>
> Antoine Boucher
> AntoineB@haltondc.com
>
>
--
*CONFIDENTIALITY AND DISCLAIMER NOTICE: *
This email is intended only for
the person to whom it is addressed and/or otherwise authorized personnel.
The information contained herein and attached is confidential. If you are
not the intended recipient, please be advised that viewing this message and
any attachments, as well as copying, forwarding, printing, and
disseminating any information related to this email is prohibited, and that
you should not take any action based on the content of this email and/or
its attachments. If you received this message in error, please contact the
sender and destroy all copies of this email and any attachment. Please note
that the views and opinions expressed herein are solely those of the author
and do not necessarily reflect those of the company. While antivirus
protection tools have been employed, you should check this email and
attachments for the presence of viruses. No warranties or assurances are
made in relation to the safety and content of this email and attachments.
The Company accepts no liability for any damage caused by any virus
transmitted by or contained in this email and attachments. No liability is
accepted for any consequences arising from this email.
*AVIS DE
CONFIDENTIALITÉ ET DE NON RESPONSABILITE* :
Ce courriel, ainsi que toute
pièce jointe, est confidentiel et peut être protégé par le secret
professionnel. Si vous n’en êtes pas le destinataire visé, veuillez en
aviser l’expéditeur immédiatement et le supprimer. Vous ne devez pas le
copier, ni l’utiliser à quelque fin que ce soit, ni divulguer son contenu à
qui que ce soit. BSO se réserve le droit de contrôler toute transmission
qui passe par son réseau. Veuillez noter que les opinions exprimées dans
cet e-mail sont uniquement celles de l'auteur et ne reflètent pas
nécessairement celles de la société. Bien que des outils de protection
antivirus aient été utilisés, vous devez vérifier cet e-mail et les pièces
jointes pour toute présence de virus. Aucune garantie ou assurance n'est
donnée concernant la sécurité et le contenu de cet e-mail et de ses pièces
jointes. La Société décline toute responsabilité pour tout dommage causé
par tout virus transmis par ou contenu dans cet e-mail et ses pièces
jointes. Aucune responsabilité n'est acceptée pour les conséquences
découlant de cet e-mail.