You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr> on 2017/04/26 12:01:46 UTC
Shibboleth and CloudStack
Hello,
I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
as a service provider (SP) to our own identity provider Shibboleth 2.4.4
(IdP - Authentication Service and Authorization based on XML).
I have completed the following CloudStack SAML2 settings:
saml2.append.idpdomain = false
saml2.default.idpid = n�ant
saml2.enabled = true
saml2.idp.metadata.url =
http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
<http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
saml2.sigalg = SHA256
saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
saml2.sp.slo.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
saml2.sp.sso.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
saml2.user.attribute = uid
But the URL SSO-SAML2
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
returns me to the native authentication URL of our IdP
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
instead of the SSO-CAS delegation URL
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
The meta data of my SP are listed in my IdP (from the configuration file
relying-party.xml):
<!-- Metadonn�es de ETRS CloudStack -->
<metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
</metadata:MetadataProvider>
Thank you for your help.
--
IEF MINDEF POLLET Fabrice
TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
COMSIC BP18 35998 RENNES 9 France
821 354 34 82 / 02 99 84 34 82
fabrice.pollet@etrs.fr (Internet)
fabrice-c.pollet@intradef.gouv.fr (Intradef)
Re: Shibboleth and CloudStack
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Fabrice,
In the SAML response sent after authentication, the encrypted data should have a unique attribute that should correspond to the user's username of an account in CloudStack. The global setting 'saml2.user.attribute' is default set to uid (I think, to make it work out of the box with a Ldap backed IdP server), change this attribute value to something else that is specific to the user attribute in your environment, restart management server and retry.
Regards.
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 05 May 2017 12:13:55
To: Rohit Yadav; users@cloudstack.apache.org; fabrice.pollet@etrs.fr
Subject: Re: Shibboleth and CloudStack
Hello,
I made some changes in my configuration. Instead of editing the /etc/cloudstack/management/idp-metadata.xml file from my SP to force SSO-CAS authentication (https://idp.etrs.terre.defense.gouv.fr/idp/Authn/ RemoteUser), I modified the /opt/shibboleth-idp/conf/handler.xml file of my IdP:
<!-- Login Handlers -->
<ph:LoginHandler xsi:type="ph:RemoteUser"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>
This tells the IdP it can use that login mechanism (in this case CAS) when an SP asks for PasswordProtectedTransport.
Both SP and IdP server hosts have the same timezone/time settings. It seems that the IdP and SP servers know their metadata reciprocally, but I don't know how to verify if the SP decrypts those of the IdP.
Logs of the IdP in debug mode show that the authentication succeeded but I noticed some errors in debug mode (in red in the text):
12:50:43.820 - INFO [Shibboleth-Access:73] - 20170504T105043Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO|
12:50:43.820 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO
12:50:43.820 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
12:50:43.821 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request
12:50:43.821 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:188] - Incoming request does not contain a login context, processing as first leg of request
12:50:43.821 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
12:50:43.821 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:76] - Beginning to decode message from inbound transport of type: org.opensaml.ws.transport.http.HttpServletRequestAdapter
12:50:43.822 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:90] - Decoded RelayState: null
12:50:43.822 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:127] - Base64 decoding and inflating SAML message
12:50:43.822 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:183] - Parsing message stream into DOM document
12:50:43.823 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:193] - Unmarshalling message DOM
12:50:43.823 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:205] - Message succesfully unmarshalled
12:50:43.823 - DEBUG [org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder:105] - Decoded SAML message
12:50:43.824 - DEBUG [org.opensaml.saml2.binding.decoding.BaseSAML2MessageDecoder:112] - Extracting ID, issuer and issue instant from request
12:50:43.824 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr
12:50:43.824 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr
12:50:43.824 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID cloud.etrs.terre.defense.gouv.fr
...
12:50:43.827 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr
12:50:43.828 - DEBUG [PROTOCOL_MESSAGE:113] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
AssertionConsumerServiceURL="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso>
Destination="https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO"<https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO>
ForceAuthn="false" ID="85qrvu7c1kmg1tsc0gqmk4a1u2k60qed"
IsPassive="false" IssueInstant="2017-05-04T10:50:43.719Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="cloud.etrs.terre.defense.gouv.fr" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">cloud.etrs.terre.defense.gouv.fr</saml2:Issuer>
<saml2p:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>
12:50:43.828 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for cloud.etrs.terre.defense.gouv.fr
12:50:43.828 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying party configuration found for cloud.etrs.terre.defense.gouv.fr, looking up configuration based on metadata groups.
12:50:43.829 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr
12:50:43.829 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr
12:50:43.829 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID cloud.etrs.terre.defense.gouv.fr
12:50:43.831 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr
12:50:43.831 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr
12:50:43.831 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for cloud.etrs.terre.defense.gouv.fr. Using default relying party configuration.
12:50:43.831 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:130] - Evaluating security policy of type 'edu.internet2.middleware.shibboleth.common.security.ShibbolethSecurityPolicy' for decoded message
12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:92] - Attempting to acquire lock for replay cache check
12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:94] - Lock acquired
12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:105] - Message ID 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed was not a replay
12:50:43.832 - DEBUG [org.opensaml.util.storage.ReplayCache:132] - Writing message ID cloud.etrs.terre.defense.gouv.fr85qrvu7c1kmg1tsc0gqmk4a1u2k60qed to replay cache with expiration time 2017-05-04T12:55:43.832+02:00
12:50:43.832 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:308] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr
12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr
12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:250] - Metadata document did not contain a descriptor for entity cloud.etrs.terre.defense.gouv.fr
12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:317] - Metadata document did not contain any role descriptors of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor for entity cloud.etrs.terre.defense.gouv.fr
12:50:43.833 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:286] - Metadata document does not contain a role of type {urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor supporting protocol urn:oasis:names:tc:SAML:2.0:protocol for entity cloud.etrs.terre.defense.gouv.fr
12:50:43.836 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:308] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr
12:50:43.836 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr
12:50:43.836 - INFO [org.opensaml.common.binding.security.SAMLProtocolMessageXMLSignatureSecurityPolicyRule:100] - SAML protocol message was not signed, skipping XML signature processing
12:50:43.837 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:64] - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule
12:50:43.837 - DEBUG [org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule:64] - Constructing signed content string from URL query string SAMLRequest=jVPLjtowFN33KyLvyatQphYJooxGHWnaQSTTRXeufWEsEjvc66R8fp0ENCxaptv4%2BDx8ThbLU10FHSBpazKWhDELwEirtNln7KV8mNyxZf5hQaKu0oavWvdqtnBsgVywIgJ0%2Ft7aGmprwAKw0xJetk8Ze3WuIR5FsrKtCsEhhQ4QIVSwA0MQ7m3bhTv0AA3GRaLRS2nrWhiV9WIFWRbcexlthBu8XRi1am7x%2BeOoQbvTFUTF6ttTGm1BaQTpoqJ4ZsGDRQlDjoztREXAgsf7jN3Njti1c5kc6n3iSMb7Y32YiqRND5%2FiIyiPoo0g0h283SNq4dGQE8ZlLI2T%2BSSeTeJpmcR8FvPpx3CefP7Jgg1aZ6WtvmgzvmuLhltBmrgRNRB3kvdWeRrG%2FNcIIv61LDeTzXNRDgSdVoDfPTpj7z0pC35c%2Bkz7Pn3DhvjY4G3t5myU5WPhfEiI1wy3CcRlEix%2Fz%2BUiupbILws7jwvUUJFfloOTC9a2bgRq6jPBSUh3dsivUevKy29hd2X3v93ehEkue2r%2FuV%2FAb4uqb9QvClSJwlBj0Y1x%2FuonP0f9R7i34%2Bu%2FK%2F8D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=svf6JoGtWy5nIQaE%2Fm6qjHAvV%2FJHU7l1KrXF8RftV3cxLhlh3tr8vyk0Dmb2ShPUu81KBx8mKpv6bmcIhOdi%2FkZ7gZIcTwYnFDnn2vT%2B9keBgA6LTWejAPHFG6Q4AtltYlpeDElaX9JgA1FNqhNLIA1zhM9m5Ycblb4Ld5VlYYdGZeCfMd3Jsjcri14ASenAz8vF5%2BmZC6f1QCiAqwvf1Vo5qPUormcKG174S8LVYa5U%2FyfwC60d5y6Ajba5OvuaB7M%2F vI0FVpfsX sXuR5NYw7Bcj8v49kSJw1CIU%2Fyzyd2UWJ6miXkQHnPtxrJjP8RCpGnERyrNZKzhukpr%2BOQ91%2B641Ujwv1%2FTT8SG1E91GZeJQBFMhc5wGglhuw4%2BRcY69rN1utX1cOH7YNFBjMiA27O5tq2FHp%2FOEg0ERdQniy%2FSUN6WLMGMXCZOCVesv3UAFfjhKbPaSDoOLNjNHuh6a%2FWpGF%2BXmYdLFY5m0Ic%2Bm3qSgnXe21u1frMAChloSwALR9xjoUzbAhCncDG8%2BQVuy%2Fpz4cwIXmCEHWeQ9dOUhv0eH4L73Iew3pqHfpsAJwqZW44QK9J1M5FFV3L4jqure1FnkiPuFemD5iaRmcYupjytnDurvq1M3ANkOT9sZw0g1WTrKlVJ8W%2F9LWlpOiB8mNRQOgKQV4ioe3gIdiUjfQQ%3D
12:50:43.837 - DEBUG [org.opensaml.saml2.binding.security.SAML2HTTPRedirectDeflateSignatureRule:71] - Constructed signed content string for HTTP-Redirect DEFLATE SAMLRequest=jVPLjtowFN33KyLvyatQphYJooxGHWnaQSTTRXeufWEsEjvc66R8fp0ENCxaptv4%2BDx8ThbLU10FHSBpazKWhDELwEirtNln7KV8mNyxZf5hQaKu0oavWvdqtnBsgVywIgJ0%2Ft7aGmprwAKw0xJetk8Ze3WuIR5FsrKtCsEhhQ4QIVSwA0MQ7m3bhTv0AA3GRaLRS2nrWhiV9WIFWRbcexlthBu8XRi1am7x%2BeOoQbvTFUTF6ttTGm1BaQTpoqJ4ZsGDRQlDjoztREXAgsf7jN3Njti1c5kc6n3iSMb7Y32YiqRND5%2FiIyiPoo0g0h283SNq4dGQE8ZlLI2T%2BSSeTeJpmcR8FvPpx3CefP7Jgg1aZ6WtvmgzvmuLhltBmrgRNRB3kvdWeRrG%2FNcIIv61LDeTzXNRDgSdVoDfPTpj7z0pC35c%2Bkz7Pn3DhvjY4G3t5myU5WPhfEiI1wy3CcRlEix%2Fz%2BUiupbILws7jwvUUJFfloOTC9a2bgRq6jPBSUh3dsivUevKy29hd2X3v93ehEkue2r%2FuV%2FAb4uqb9QvClSJwlBj0Y1x%2FuonP0f9R7i34%2Bu%2FK%2F8D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256
12:50:43.837 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:126] - Attempting to validate SAML protocol message simple signature using context issuer: cloud.etrs.terre.defense.gouv.fr
12:50:43.837 - DEBUG [org.opensaml.security.MetadataCredentialResolver:167] - Forcing on-demand metadata provider refresh if necessary
12:50:43.838 - DEBUG [org.opensaml.security.MetadataCredentialResolver:215] - Attempting to retrieve credentials from cache using index: [cloud.etrs.terre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
12:50:43.838 - DEBUG [org.opensaml.security.MetadataCredentialResolver:223] - Retrieved credentials from cache using index: [cloud.etrs.terre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,SIGNING]
12:50:43.838 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
12:50:43.839 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
12:50:43.839 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
12:50:43.839 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:105] - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
12:50:43.839 - DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine:159] - Attempting to verify signature using trusted credentials
12:50:43.839 - DEBUG [org.opensaml.xml.security.SigningUtil:241] - Verifying signature over input using public key of type RSA and JCA algorithm ID SHA256withRSA
12:50:43.842 - DEBUG [org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine:164] - Successfully verified signature using resolved trusted credential
12:50:43.842 - DEBUG [org.opensaml.xml.signature.impl.ChainingSignatureTrustEngine:81] - Signature was trusted by chain member: org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine
12:50:43.842 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:192] - Simple signature validation (with no request-derived credentials) was successful
12:50:43.842 - INFO [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:130] - Validation of request simple signature succeeded
12:50:43.842 - INFO [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:132] - Authentication via request simple signature succeeded for context issuer entity ID cloud.etrs.terre.defense.gouv.fr
12:50:43.842 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:64] - Evaluating simple signature rule of type: org.opensaml.saml2.binding.security.SAML2HTTPPostSimpleSignRule
12:50:43.843 - DEBUG [org.opensaml.common.binding.security.BaseSAMLSimpleSignatureSecurityPolicyRule:81] - Rule can not handle this request, skipping processing
12:50:43.843 - DEBUG [org.opensaml.ws.message.decoder.BaseMessageDecoder:85] - Successfully decoded message.
12:50:43.843 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:191] - Checking SAML message intended destination endpoint against receiver endpoint
12:50:43.843 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:210] - Intended message destination endpoint: https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO
12:50:43.843 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:211] - Actual message receiver endpoint: https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO
12:50:43.844 - DEBUG [org.opensaml.common.binding.decoding.BaseSAMLMessageDecoder:219] - SAML message intended destination endpoint matched recipient endpoint
12:50:43.844 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:387] - Decoded request from relying party 'cloud.etrs.terre.defense.gouv.fr'
12:50:43.844 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr
12:50:43.844 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr
12:50:43.844 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID cloud.etrs.terre.defense.gouv.fr
12:50:43.849 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr
12:50:43.850 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for cloud.etrs.terre.defense.gouv.fr. Using default relying party configuration.
12:50:43.850 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:226] - Creating login context and transferring control to authentication engine
12:50:43.850 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:181] - Storing LoginContext to StorageService partition loginContexts, key 21082a8599b5ba28281416cfd7468ad128b893acaf51f88303c5fadd9ee0f77b
12:50:43.851 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:240] - Redirecting user to authentication engine at https://idp.etrs.terre.defense.gouv.fr:443/idp/AuthnEngine
12:50:43.855 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request
12:50:43.856 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:240] - Beginning user authentication process.
12:50:43.856 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:283] - Filtering configured LoginHandlers: {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler@4fd79d84, urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@54a66e0f, urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@54a66e0f}
12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:288] - Filtering possible login handlers by requested authentication methods: [urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport]
12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:296] - Filtering out login handler for authentication urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified, it does not provide a requested authentication method
12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:332] - Filtering out previous session login handler because there is no existing IdP session
12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:464] - Selecting appropriate login handler from filtered set {urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler@54a66e0f}
12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:497] - Authenticating user with login handler of type edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler
12:50:43.857 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserLoginHandler:66] - Redirecting to https://idp.etrs.terre.defense.gouv.fr:443/idp/Authn/RemoteUser
12:50:52.152 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet:73] - Remote user identified as fabrice.pollet returning control back to authentication engine
12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:144] - Returning control to authentication engine
12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] - Processing incoming request
12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:514] - Completing user authentication process
12:50:52.153 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:585] - Validating authentication was performed successfully
12:50:52.154 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:696] - Updating session information for principal fabrice.pollet
12:50:52.154 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:700] - Creating shibboleth session for principal fabrice.pollet
12:50:52.154 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:815] - Adding IdP session cookie to HTTP response
12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:715] - Recording authentication and service information in Shibboleth session for principal: fabrice.pollet
12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:560] - User fabrice.pollet authenticated with method urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:161] - Returning control to profile handler
12:50:52.155 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:177] - Redirecting user to profile handler at https://idp.etrs.terre.defense.gouv.fr:443/idp/profile/SAML2/Redirect/SSO
12:50:52.160 - INFO [Shibboleth-Access:73] - 20170504T105052Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO|
12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:86] - shibboleth.HandlerManager: Looking up profile handler for request path: /SAML2/Redirect/SSO
12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.IdPProfileHandlerManager:97] - shibboleth.HandlerManager: Located profile handler of the following type for the request path: edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler
12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:588] - Unbinding LoginContext
12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:614] - Expiring LoginContext cookie
12:50:52.160 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:625] - Removed LoginContext, with key 21082a8599b5ba28281416cfd7468ad128b893acaf51f88303c5fadd9ee0f77b, from StorageService partition loginContexts
12:50:52.161 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:172] - Incoming request contains a login context and indicates principal was authenticated, processing second leg of request
12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr
12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of cloud.etrs.terre.defense.gouv.fr
12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:167] - Metadata document does not contain an EntityDescriptor with the ID cloud.etrs.terre.defense.gouv.fr
12:50:52.161 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: cloud.etrs.terre.defense.gouv.fr
12:50:52.169 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for cloud.etrs.terre.defense.gouv.fr. Using default relying party configuration.
12:50:52.169 - DEBUG [org.opensaml.saml2.metadata.provider.ChainingMetadataProvider:253] - Checking child metadata provider for entity descriptor with entity ID: https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth
12:50:52.170 - DEBUG [org.opensaml.saml2.metadata.provider.AbstractMetadataProvider:520] - Searching for entity descriptor with an entity ID of https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth
12:50:52.170 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:99] - Filtering peer endpoints. Supported peer endpoint bindings: [urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact]
12:50:52.171 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:114] - Removing endpoint https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso because its binding urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect is not supported
12:50:52.171 - DEBUG [org.opensaml.saml2.binding.AuthnResponseEndpointSelector:69] - Selecting endpoint by ACS URL 'https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso' and protocol binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' for request '85qrvu7c1kmg1tsc0gqmk4a1u2k60qed' from entity 'cloud.etrs.terre.defense.gouv.fr'
12:50:52.171 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:478] - Resolving attributes for principal 'fabrice.pollet' for SAML request from relying party 'cloud.etrs.terre.defense.gouv.fr'
12:50:52.171 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver resolving attributes for principal fabrice.pollet
12:50:52.171 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal fabrice.pollet were not requested, resolving all attributes.
12:50:52.172 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute uid for principal fabrice.pollet
12:50:52.172 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:354] - Resolving data connector myLDAP for principal fabrice.pollet
12:50:52.173 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter: (uid=fabrice.pollet)
12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute uid containing 1 values
12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute email for principal fabrice.pollet
12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute email containing 1 values
12:50:52.190 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute transientId for principal fabrice.pollet
12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:97] - Building transient ID for request 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed; outbound message issuer: https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth, inbound message issuer: cloud.etrs.terre.defense.gouv.fr, principal identifer: fabrice.pollet
12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:115] - Created transient ID _fa7d6de2b4e946248d8f52c948470df6 for request 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed
12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute transientId containing 1 values
12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute eduPersonScopedAffiliation for principal fabrice.pollet
12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute eduPersonScopedAffiliation containing 1 values
12:50:52.191 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute uid has 1 values after post-processing
12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute email has 1 values after post-processing
12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute transientId has 1 values after post-processing
12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute eduPersonScopedAffiliation has 1 values after post-processing
12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver resolved, for principal fabrice.pollet, the attributes: [uid, email, transientId, eduPersonScopedAffiliation]
12:50:52.192 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:71] - shibboleth.AttributeFilterEngine filtering 4 attributes for principal fabrice.pollet
12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseToAllRenaterSps is active for principal fabrice.pollet
12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEntityGroupMatchFunctor:77] - Entity descriptor does not have a parent object, unable to check if entity is in group https://federation.renater.fr/
12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy releaseToAllRenaterSps is not active for principal fabrice.pollet
12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseToCocoEduGainSp is active for principal fabrice.pollet
12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEntityGroupMatchFunctor:77] - Entity descriptor does not have a parent object, unable to check if entity is in group https://federation.renater.fr/edugain/
12:50:52.193 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.match.saml.AbstractEntityAttributeMatchFunctor:175] - Descriptor for cloud.etrs.terre.defense.gouv.fr does not contain any EntityAttributes
12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy releaseToCocoEduGainSp is not active for principal fabrice.pollet
12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseTransientIdToAnyone is active for principal fabrice.pollet
12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy releaseTransientIdToAnyone is active for principal fabrice.pollet
12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute transientId for principal fabrice.pollet
12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseUidAndEmailToAnyone is active for principal fabrice.pollet
12:50:52.194 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy releaseUidAndEmailToAnyone is active for principal fabrice.pollet
12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute uid for principal fabrice.pollet
12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute email for principal fabrice.pollet
12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy cloud.etrs.terre.defense.gouv.fr is active for principal fabrice.pollet
12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy cloud.etrs.terre.defense.gouv.fr is active for principal fabrice.pollet
12:50:52.195 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute uid for principal fabrice.pollet
12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy e5.onthehub.com is active for principal fabrice.pollet
12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:134] - Filter policy e5.onthehub.com is not active for principal fabrice.pollet
12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute uid has 1 values after filtering
12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute email has 1 values after filtering
12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute transientId has 1 values after filtering
12:50:52.196 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106] - Removing attribute from return set, no more values: eduPersonScopedAffiliation
12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal fabrice.pollet. The following attributes remain: [uid, email, transientId]
12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505] - Creating attribute statement in response to SAML request '85qrvu7c1kmg1tsc0gqmk4a1u2k60qed' from relying party 'cloud.etrs.terre.defense.gouv.fr'
12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute uid with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
12:50:52.197 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:247] - Encoded attribute email with encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.provider.SAML2StringAttributeEncoder
12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached).
12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:527] - Filtering out potential name identifier attributes which can not be encoded by edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:546] - Removing attribute uid, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:546] - Removing attribute email, it can not be encoded via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
12:50:52.198 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:541] - Retaining attribute transientId which may be encoded to via edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:566] - Filtering out potential name identifier attributes which do not support one of the following formats: [urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, urn:oasis:names:tc:SAML:2.0:nameid-format:transient]
12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:585] - Retaining attribute transientId which may be encoded as a name identifier of format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:690] - Selecting attribute to be encoded as a name identifier by encoder of type edu.internet2.middleware.shibboleth.common.attribute.encoding.SAML2NameIDEncoder
12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:717] - Selecting the first attribute that can be encoded in to a name identifier
12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:501] - Name identifier for relying party 'cloud.etrs.terre.defense.gouv.fr' will be built from attribute 'transientId'
12:50:52.199 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:868] - Using attribute 'transientId' supporting NameID format 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' to create the NameID for relying party 'cloud.etrs.terre.defense.gouv.fr'
12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:572] - Determining if SAML assertion to relying party 'cloud.etrs.terre.defense.gouv.fr' should be signed
12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:653] - IdP relying party configuration 'default' indicates to sign assertions: true
12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:583] - Determining signing credntial for assertion to relying party 'cloud.etrs.terre.defense.gouv.fr'
12:50:52.200 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:599] - Signing assertion to relying party cloud.etrs.terre.defense.gouv.fr
12:50:52.200 - DEBUG [org.opensaml.common.SAMLObjectHelper:56] - Examing signed object for content references with exclusive canonicalization transform
12:50:52.201 - DEBUG [org.opensaml.common.SAMLObjectHelper:70] - Saw exclusive transform, declaring non-visible namespaces on signed object
12:50:52.201 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:100] - Starting to marshall {http://www.w3.org/2000/09/xmldsig#}Signature
12:50:52.201 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:103] - Creating XMLSignature object
12:50:52.202 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:113] - Adding content to XMLSignature.
12:50:52.202 - DEBUG [org.opensaml.common.impl.SAMLObjectContentReference:173] - Adding list of inclusive namespaces for signature exclusive canonicalization transform
12:50:52.202 - DEBUG [org.opensaml.xml.signature.impl.SignatureMarshaller:118] - Creating Signature DOM element
12:50:52.203 - DEBUG [org.opensaml.xml.signature.Signer:76] - Computing signature over XMLSignature object
12:50:52.214 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:274] - Attempting to encrypt assertion to relying party 'cloud.etrs.terre.defense.gouv.fr'
12:50:52.218 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:279] - Assertion to be encrypted is:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="_3dcfe0e7bc0bd318d70314e0c6b38e0f"
IssueInstant="2017-05-04T10:50:52.198Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"<http://www.w3.org/2001/XMLSchema>>
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"<http://www.w3.org/2000/09/xmldsig#>>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"<http://www.w3.org/2001/10/xml-exc-c14n#>/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"<http://www.w3.org/2000/09/xmldsig#rsa-sha1>/>
<ds:Reference URI="#_3dcfe0e7bc0bd318d70314e0c6b38e0f">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"<http://www.w3.org/2000/09/xmldsig#enveloped-signature>/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"<http://www.w3.org/2001/10/xml-exc-c14n#>>
<ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"<http://www.w3.org/2001/10/xml-exc-c14n#>/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"<http://www.w3.org/2000/09/xmldsig#sha1>/>
<ds:DigestValue>YgpD3KMsgxt8+cXzdw1OP36tOws=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Xs6CVhcA+bKej3xKo145EucCv6yRVbWsFvueVVSxIuYR/vKmdbx92c1f7HOiFrFwQ9wVRodd4OmgrHFoIXZITBPAVPs7k9XInnbBicUPmJoJBnxoY5hraCQdNlVSGr1upplJ3XCDvWWxvamNoDdr4t/Zpw6jkwPriV7fbHvyOt3+2idKhQQGXKvyMmQ921RnLtVaBoP/rlQFZOkZ1LBgHtTWPhdf4Z4CIEBoOuRF/+lPTkSvkl5MnGcHCtV32QCiuu6fy0lfmG3nk0crDjNUjVUP1xTFc7UJtje4wB06DHSj+xgfov5Et6JPx2GhSgxlHMfaLTyn/boCDb9I4HZB2A==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDZTCCAk2gAwIBAgIUJ8+wj9VvvaWkYWc7Lv9ZrozEz5wwDQYJKoZIhvcNAQEFBQAwKTEnMCUG
A1UEAwweaWRwLmV0cnMudGVycmUuZGVmZW5zZS5nb3V2LmZyMB4XDTE1MDYwNDEyNDMzM1oXDTM1
MDYwNDEyNDMzM1owKTEnMCUGA1UEAwweaWRwLmV0cnMudGVycmUuZGVmZW5zZS5nb3V2LmZyMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAncSOI7ZLCUW1YAQxsXx9sGUhIETkAQD0rW31
036RsUcxJKHvSfvHLz9t95F0OmCw4K+gVFFobxoOzwWrfNkQKNLmWJjfqVWe7euL5S6a5CLdzvos
DCIaP63/9JAlAlAPvVQ3JYH08FcLQL2zcbxshZJBvsAQrSOOnkytXndkmpjlvPZNn3HbofiSA2CD
DfNjIgFq1AS0nGJyuHSDD+Foi2TsU8ejirYVZPxn8wacxpt9GtIuY/tleYTjdH41kskaXqRGoN0X
7aC2Xea357hf950lEbacTOxztYITIJFZVkQjjea+YdGU9fsjrAkxuAyXX5yHD9SU8t9Px1Y/jwVW
xwIDAQABo4GEMIGBMB0GA1UdDgQWBBRV5pi3YXYkaI4CLWcEtD2SiRteWTBgBgNVHREEWTBXgh5p
ZHAuZXRycy50ZXJyZS5kZWZlbnNlLmdvdXYuZnKGNWh0dHBzOi8vaWRwLmV0cnMudGVycmUuZGVm
ZW5zZS5nb3V2LmZyL2lkcC9zaGliYm9sZXRoMA0GCSqGSIb3DQEBBQUAA4IBAQB7c5PZS50wlcNU
HGNv0QbHmFIEl2qSVW5p+y4lZX3QBEy+dyKw9qaTFGDD+qLfa9QKo6s31uLocW7aGmG2ok6U0XjT
7fCKIR8YljugdZfetCw5BiHRIaDzVhj8ozZPmb0OxlTecpJ/gQ3wik7Qo9ZPU/wLObyVcxGBeIiQ
xXhCTu0Gqvl2UUV1Jwo4OEt5Vb6oBjN7HMDjCSaG+Q/uQK0g4lfhJr2ZvpDrAy+f5ZJcccgz4uPJ
k0hqdydB6gHGIbSYVt1X89vWWYYigdavCrEx/mzNsCIdNuvFCFWQxDTr62aRd9Ib9VdrTc4GL7w+
Gi7Ne++PRgzXlaUPwIb+uQ6Z</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth"<https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth>>_fa7d6de2b4e946248d8f52c948470df6</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData Address="172.16.96.7"
InResponseTo="85qrvu7c1kmg1tsc0gqmk4a1u2k60qed"
NotOnOrAfter="2017-05-04T10:55:52.198Z" Recipient="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso>/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2017-05-04T10:50:52.198Z" NotOnOrAfter="2017-05-04T10:55:52.198Z">
<saml2:AudienceRestriction>
<saml2:Audience>cloud.etrs.terre.defense.gouv.fr</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2017-05-04T10:50:52.155Z" SessionIndex="_a61ad6be527397b4b7bdc9064a0b4957">
<saml2:SubjectLocality Address="172.16.96.7"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="uid"
Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<http://www.w3.org/2001/XMLSchema-instance> xsi:type="xs:string">fabrice.pollet</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="mail"
Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<http://www.w3.org/2001/XMLSchema-instance> xsi:type="xs:string">fabrice.pollet@etrs.terre.defense.gouv.fr<ma...@etrs.terre.defense.gouv.fr></saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
12:50:52.221 - DEBUG [org.opensaml.security.MetadataCredentialResolver:167] - Forcing on-demand metadata provider refresh if necessary
12:50:52.221 - DEBUG [org.opensaml.security.MetadataCredentialResolver:215] - Attempting to retrieve credentials from cache using index: [cloud.etrs.terre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,ENCRYPTION]
12:50:52.222 - DEBUG [org.opensaml.security.MetadataCredentialResolver:223] - Retrieved credentials from cache using index: [cloud.etrs.terre.defense.gouv.fr,{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor,urn:oasis:names:tc:SAML:2.0:protocol,ENCRYPTION]
12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableEntityIDCredentialCriteria for criteria class org.opensaml.xml.security.criteria.EntityIDCriteria
12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableKeyAlgorithmCredentialCriteria for criteria class org.opensaml.xml.security.criteria.KeyAlgorithmCriteria
12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:74] - Registry located evaluable criteria class org.opensaml.xml.security.credential.criteria.EvaluableUsageCredentialCriteria for criteria class org.opensaml.xml.security.criteria.UsageCriteria
12:50:52.222 - DEBUG [org.opensaml.xml.security.credential.criteria.EvaluableCredentialCriteriaRegistry:105] - Registry could not locate evaluable criteria for criteria class org.opensaml.security.MetadataCriteria
12:50:52.223 - DEBUG [org.opensaml.xml.security.SecurityHelper:292] - Unable to determine length in bits of specified Key instance
12:50:52.223 - DEBUG [org.opensaml.xml.encryption.Encrypter:645] - Generating random symmetric data encryption key from algorithm URI: http://www.w3.org/2001/04/xmlenc#aes128-cbc
12:50:52.223 - DEBUG [org.opensaml.xml.encryption.Encrypter:429] - Encrypting XMLObject using algorithm URI http://www.w3.org/2001/04/xmlenc#aes128-cbc with content mode false
12:50:52.225 - DEBUG [org.opensaml.xml.encryption.Encrypter:330] - Encrypting encryption key with algorithm: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p
12:50:52.234 - DEBUG [org.opensaml.xml.encryption.Encrypter:291] - Dynamically generating KeyInfo from Credential for EncryptedKey using generator: org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory$X509KeyInfoGenerator
12:50:52.235 - DEBUG [org.opensaml.saml2.encryption.Encrypter:423] - Placing EncryptedKey elements inline inside EncryptedData
12:50:52.235 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:331] - secondarily indexing user session by name identifier
12:50:52.237 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:796] - Encoding response to SAML request 85qrvu7c1kmg1tsc0gqmk4a1u2k60qed from relying party cloud.etrs.terre.defense.gouv.fr
12:50:52.237 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:49] - Beginning encode message to outbound transport of type: org.opensaml.ws.transport.http.HttpServletResponseAdapter
12:50:52.237 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:124] - Invoking Velocity template to create POST body
12:50:52.238 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:158] - Encoding action url of 'https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso' with encoded value 'https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso'
12:50:52.238 - DEBUG [org.opensaml.saml2.binding.encoding.HTTPPostEncoder:162] - Marshalling and Base64 encoding SAML message
12:50:52.240 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:97] - Marshalling message
12:50:52.260 - DEBUG [PROTOCOL_MESSAGE:74] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso>
ID="_f554e0c08f61f5c6d18529e5b2f16884"
InResponseTo="85qrvu7c1kmg1tsc0gqmk4a1u2k60qed"
IssueInstant="2017-05-04T10:50:52.198Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Id="_3ad94c1af74ab0a0a43cda26ce51a8ff"
Type="http://www.w3.org/2001/04/xmlenc#Element"<http://www.w3.org/2001/04/xmlenc#Element> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"<http://www.w3.org/2001/04/xmlenc#aes128-cbc> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"<http://www.w3.org/2000/09/xmldsig#>>
<xenc:EncryptedKey
Id="_549b0b744e7bdde94d3f44a410a115c2" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"<http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"<http://www.w3.org/2000/09/xmldsig#sha1> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"<http://www.w3.org/2000/09/xmldsig#>/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0
YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv
dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni
W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q
DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE
LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8
g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM
NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T
kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2
60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22
nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw
14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL
BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN
7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI
1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7
NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY
JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3
smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd
UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb
y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0
HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB
2HWwtuca</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:CipherValue>j2ag5FlXMev12oyot1E7EMlzNHCun9eMKa9ELYMn9hB4pQwZl3JHZfdRXjPNH1ZMlPx9YqoVN21ZBqLOpdg9Ehni4Vp2ATDfyQ3plG7XkjK6k23nGUaenNgU3M9FJNbWROlYEQu+nLQwNJ3rl9A9QlLVZgDKiswFg2SNpCraqQOF8UiCeu5RSh+V90hJ8KAFnloSev2P3e23E5Y5M3Cb8R9rsBjFk1zUGdywbutnn4XavgbyPVkoGbYO8YUGcgE3L9k41RCAEiSgShPiHYj+I9o2SkpfsELbSs4VkWnpUHBJ3j5kZmA2XFjaKJsTA55qKMhoqSIzOK7GW5J3zfTdvJRfeiJVGPjHb8cIRb8h+clpgJhN6XGvb6i43ZCXDtgfSzz6pqMfgi1Q0u8h6A5qAOZQJ5fJqDUhUtLLw14Gf7QOYZed3VOoqLXdftJ4oDI3f8lFj0386zY4hqtnH8m2+7FotkMh+GNWTX680AnmV9NutbAlLkFXrT1ciJaeDb0io6IJyoNXU47PMv61vCNoUAGVMO2eqa3fpRpQooua0VRb4cnYeUeibI3z/N0SLX+OpyxhSaGmxnmheu2JgBM6fgX5n0/oZMISBWSbG24xXn7yrp3wwaYNQx/sv5QiRnqCI1JbTllEIsmdDgD/kLJ8VR2XTMDGYxB1jBczjRAu8q0=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:CipherValue>yRzRwLLs5rSBH+9HwhIen/a1PsIvaqV7xZTeTG+pAOE/GVVxTNRY5eFYTr+VVc0LYQTjECP5obr275MWUHLEOGdDy5/IUNuLS6Q3hgVn6pmhs3QkgzZ6R1mX6c1+RceSjGZRieXps0HoDKCMq8wVgb7LBebP8zjCTPaS3TMK4JsYOaDTPWwrjfI7RybI6itPzczNnwQ21Hkv+mXZXR5hkaVlrRGg99dKwGlpb07uMJTOAgju9vX/0BNC7hcQKD4yp2hhuSUzEo97EVcI5JYvW0y2U/JJu8O0FKvuDxhjRLPhZqJm7HzRyEOVEp9yi3E3oWg9krtFphqbZcWPrBw1MUDcAP4xWyYcKmBDXthhXp2Z78XTpQKwtn8vB/sML/4YFVXyADRBTi0pcgFUKW9CEV2lONnRqt1YPPnXEK4tUvJDaNzyDTjs+jLOIMN5BDK87f/bZw8fzCyPGA2a36X0xAZouw9Vz6YHLvO4GYBLuOLVafCYQC2ViykCjwCZJck4WoUDUVNwVbMpuXGEt5KuuvHYtuRSO8ZC5SPAI7vaGZuPwQmLDHvYNtaltr/eI96xwcQPnoadr/eWWyz3f5zeuQ3mJ7zEoow1tRqrmKAPWBLRiAoPehL1GJie7DDe+r1GpaWcCiyRncUebm8pchnRlsi503nXfr+i92K12i1dCueneLSWAsVYiU9njzaxFqOeUpxFPG0Cd246iznzMOg7sZjaucdix5VWi6I5rADuv48fRMv5BpAT9dloQ/iQiERgX+7GfKNkvSgZ/QW3C7tQ55ZO32glXzODkGXxsw4sB2oawMQlSaJOvYtcMhmPDRA9lLZRUXDH35xLhivuRsHgE6o+7Hv7kuF6adevlEGFtF8EON4MiOgy3FPQYw7UatKnqyXjFvbrr3cFfAXSmVShqEc5a5x3xaVD3+C81jJjA2/NlZKS5FdmLHcCsRCooQPzRKexac sPcR95XZ4 cZXsmGZjPOF/xWeEcVIeEzrN8Mps5rRbDdCC+f86xzqW5JMAgWocu7ae1Ee06+Pex60TJOMMdH36Op01hEWGu8wCvFFLNf118Utfs8gcPebI96Pqg4+CB3xSu5t09CrhmKDcpgfAeft22BuNTnqQgEy8IgVueSz0fmm8uhxqJ+Tz4JNT57z2jyTGq7bqwU7oEz5LV9JsVqkQzgL2MbY6lSymTaOyZVjIwie2eH/CkBL4TT6+waJeiJsXF5aDsT17swdRUOcq2jxr92lCKg3pbK1yTwqwMDAAHHNgNSkVm8Nlf0p0MrtLR+CXhnd3JHeyMbpIMYLEF3qiwp+Jz5YY1LdqI4MqkcTUlI3WfPz/53KDUKciuAubBwJPy/ZGUAToTNawPZ905AaAms819JTV+a0tLMCEpMR73KVBsASZynmVmNk10Y7j1byrt5kckNWbyZ+96pNK68my39K/ioHdxgmPuhmHP8wwX49RRVeIkS3GC4An/ZyL5d5wf5JrwHsTNC/99b6cmhfM53VbYtu0MEXSexF/bukEfkIOJ3HT5aA0ro+efSKgCPEiJwyNlyX9KJGqRNA8Fv2LGT8Ik+p/B3fMZPIhshLrn+67ojVICu0vqHNOSik72shKFOWQfDMlr819NNYwJeMq2vip3KQKW6j4j6RiCP6CjRAS7KlE4XWu7NMu/nC+fEjZ8XjS7hIcNRpVlkWKWdDoDuclMb+q7FaOT7Q2lh9H0YwX92fmJAcg1ji0wRP5qt8QvjQDiXeFgqOcy3ufcm2iWMFkwk7rHO1/pmqdljX7iRQvmzzguk79UfLUXxJOZs19zlH+kYnWnD6HCnkdG+SXuK4Z4OvAIJS7DBT0zryI+f54UfxTKfrQjUbcZW1UWb3cdUXDoOe7de/7PtpbdOzWVZ45nlYdZSEK3IgWzuAgCbs40WsjJp1WzeabgeAzMD8B2Iz1AnMqSALjGEb9gEw5OcOia9PJu3Ve4QskZc sxJ2I7Nji W7+plH3x+Jyig7q0CQ+nDDxsSqm440g3dD+qhgQG1jx7aFugsjiVa/ebTbPmpQLphWicbgv75RvELF4V1hRoiJ0wiopZkco56tXd3gwVI8zc/dJloPTRVX/ofSUmRz1Tqo0ctDAQ/3jWee0HRCkIYd7KhmOorVhfOsLxssyEa/F4QjZ5T4lhCTScGYCvTvDGzIBzjVmcf7lL7ouhw5bWx3SZcSGhCbLqMpbZx6/bviWyH92o4gf/lLYx5rqWKet1p74lGq9klYxxgDJLRNUGtm6FGOjFcJz389CA3u5I81GbpiQMRx8GGAT+2xO94P6p1UzTHRrHJm/4ytQXdhXgxnwFgddVNmK5pR3VxQJcYRvp7p/afrowbFeOl+6+N9LWEdN/at0zCUo5eUEFCa4AJpWqWxxY9SloV2oG5B+zDu4ev8qKJlNRfoS/w1eksPfOJjA2tNoCvYpHkyaBv8hXHUM5nr8n57oNoRBnpQEbUWx95bdcr2W/41GejApQ0/eWAN6B0/T4zdi7b7iJP9hIAzbQG5xqaupNUOzEGy8hD+wOvmjxMF9ZxKi1QY2BA5c1GzP44gAB08hhrLdFEJHsQvClpU2XtudZjuEHfHblFOmwj+UmRUHAAQ8q4IDmnwUozEevvLPFC9YF5GVl24+7l49rIjYD7bTc33xi2hf4ls2WNJx0lRoQ27LLVkKu8Np98GQ4VWXYPWC7cS5LdW/XQnbuMTB9mhIHoWTMB1HYGrUR529GefuMT90qD5QKKqdI3zMb9xTF3/claM+Xi+kYhp6PBp5D0YlXcmRmtpJoieZi0VuaedMW8P4MJn+GM4O1VBaBvOfP/SYPJ3Jxz7pQR/Qa4RT1I70UbhE79jQ0+l18eh8mArCargPwmyquv1WWe55WEoYIwcTVP6uTq/2yZGtLs1jtKhOM+6UMqJFDZid73uVWwBC5I1C/OJv3AZvn582kUh1DevutngVng9gzw9UXxN6OUu ypPNCrZMU oZHdIt4xJ5monquKgVWH/+IgprnaCg5oGSd2tJ+suTCrnRvgonQ7gEUdDgsLjdPd5gAy9qB/NHkXTIwJya5P7Jc3+/GewZGZ4xop8ar7uEwlFNUFWffuwjgUo6jps2LDgIztnImzs1d+FBlE57EkZkFUIbnmcOHSo8wUfO/hwNFIThFZwXWSEhllfkWQ/Aoo6RbKP776Adg/Zo3aa6P5q03Uf3loQeMDQcE5wYNYEGLNaOrvGLLhT5hV8XCd6BAcMi4ei1F991XnO7Xj3zJmm209yQybSEc0+lIoiW1+bd/uWQl/PdDEVnCy/nXoEPhaK0mko0ot7tYKEmGJjUWSsWP3QTspFu4RJPT6Cw+713qgi/wHbXKATaH5JEe9T8JE4z8r6MdboQEVBv42m/zPj59D2h92+fxwgBcO0qeDFg9gy6Gl8qg8p75MD78bQGb5gAFVh97n+ffp3cs5LDKXH1w7E51CN+m+MVBMOaw1Q+kq2Sv8LJk2w96QqWosECq84IUf0f6E6U9AWFJsRJaUCMsYxEOM8P+G8HaM430bsQpYabvnC6pU0JEIF5I7o8S+0bhmvhVMoK0IKufU28Z15qhGxhEK5NtJO7C49UgLfrb85aZxW5pyoJhpTyVtn7Q9d1yI/sAF6y0LRxIromiRIAqEd6JT2FbHA9DXQwG3X0sgjcRwOGW/WWGCbzdKTx5IdYQYLCR+fu5l1tBRxjkXurUsgVab1CJUHcz7BJKnh7IiO4B7S5Vz5154Pze/vXP83Jxk6LATVm+RL/oyZwRRiF6p9QLkci7biFwx68FjPnFaQ2XVl7lzUJONMmYj8mxoCkHKN0BOSGIwabCIuzGk1UlaArK4uM9QOZBmaxVKKLCUll8N4rwwPFpmFx6jGO1P7DKB6O+CbCIo4LNwy2J46wDrjnWVE1FiEhOYLYhmT/OuoySwB5EKJFysChhzJeo/m8Y7KZu/aG8c04JcWq6V3aKvQJ9jSG 9UBytP6ak oH9cidEgnNCs3EqidqURchWDBUYtNHM1lt7l/+gmvpC6c0tRHwF9v7EpwnPqagXIszPlSspxq8Pisirfp2dijPHTKPgGIATPUr+OIelObtNr7o0WDUehhPsKWdnlTLvZ3wDpkNSgxsvULc+5n8l5onPCbgCBWNhIPiesGWjrYP9+dJBPYKiDvcycG8uSAYU9jN9RsL9lDEr0/RUvBOeSDfghjNsd71sf4DM4+yHuarCc1M9nBiJQ/TH1sPS/ejwXRBviNwePSiYY1JCDeyKQ2cHHqD6YHAvec4FFVfNLb8yUFmMl6TaB7dDomtfHUOvTtmL8YUAR/hMJOH9gsnj2aTvEmJwx1JamcrcQ8xYoa74xQhuxcifUMxhmzDxMMrHi4F+uj1WI39M6jBUtEQbcRS7sY4T3B038wET+Ndi+dF4Oc3tdq8Pm7D4wUcvoNRHlSvsWyMXZ8slNYmUBvq/6PVqDC5Cc2u4FpNu+g30GYBDF1HIpYoxQrN3MVWWLzn92Eb7KZsFlCALb24XZs151/gv7iqPa0Ru/DUJpowzJOf0yZL5f5cWHuC+wkWSi2AG25wjtpKx3ma5yvs4xQS/TlluH3w2L0eUliEmruM6E2Wxnu/7lnn3T4As/7K/OJ/bEf4ag3ZPcXvXk0oVNFbOCZ2og7IzxPEk93QSxD6bMPuLMltVuLXAcuoR/9oyuPoehTPqpspBCvNUB3t1eP+lRHWMJSy3ESI6nlt1bfxM3gXtQDvzswrd6dLtGzr7+0qwPZmCnDnaQMpn7akuZFO73njUXm5SoqGfOQnVsClq485tcjVVfkjHUpoVmYMTgUH03kvGzBOwfSel6lVSdZyB0GeJjZmXJQcisKiWOotSutAObK0brGH2UvC4xWyVco45z8DhPU8uaQks2Fskc5VaQfIlrkhDqJjkoy7hn8lqqWJCb5eRMf18NLytsQC1elWmoLa/r4FUvSC0z/JE4oHhk/w4D5r1euK /EpdQ6ZR9 cnCVo2/Tt2SJnZ3L9mdpvloVSpSm6OwygVhPMznGp17Gt2gxzOic4u1Z/A4aSBJBGGWbpIScvyG36/iV0+WEhSCGXZf/VaYk+4dBjTrdo5VaqV9HIfCWrAmtxnQDlhQsxDoZGYr6R4gJ/7i6YV1VmVxzxUv6ORuulbtnVjUK6HlqoScJlWOX/gFv5V979eB+XnOZhw6zfzMLikctgLM3HEz2muL7+wE+TTH3kyuFIIXP6nCgYEsLjg8te4by8Do7bwFclCn9/yH6F3ZHW9zQlGmlsLZYWp6il79mRwW8ZEZIBfRnfIzUdsCOoSz8xtZgjpcjbz5LXkjHukAQmeXExmHahIW1s2/ekQpUismTArLRYlerZ8o5GSOMjPTztwZRFMTV4RN/QTJyrMPMi3cJuLQI6mNdZNb6bIZO1lJz2FB+HAAP+AgO/mwW/A82vy+yM5Y8AOX6BWETUC9kZzcsygLPuFU7h/hKe6EmH5mpyUuTZEWdyHx1QdH+iTT/thzfdqgRHDzctWgEYz1wy/Goz/Ac4WDAEzlAP+0TWQK6cO8HPsLJx6pFIyn/5oC5nOME8T5X3KuC9EmbJrrfrl6EvIRljy9LqcGvOXA1k+K/ZxD2fsg4wVJZwrxumxkVvuSG3h3grHEUvAhqs0wjadXA3fFTeom74JWswnaVoFNjNkX6CmzK2/GF5V017jJemxApmua7my5S8FOkp64i1bQ8o+JIQt1AlkXBZyJ7DkS5GARpI3nIDBeZ9M9xwcRjpKt8T8aqguyX69n3MLSXVP/psqNseOSmRZzSOOevLwiwJ+MvXcacZhmJzjfOc/fL2WwA+GzLM6TnnRskLBb/oEHEs//L+l7n7t3GihBTYVny633bWS07dwT9cL6GwtNjFqkCl/xoj9yYB/R9f5/M464r165q1cmEkvdZIhr6SYIB2lhF4PJTGhZa43P/fCnbJcb6slSe/VUL0lcQyGS0ycguo8z7qxkKQc CVLzAiHds CJNoY5QvH1RjJY/x0bV8p6OskEPhkkUH8mM59jXHPUafEm/PqMApDrt0tCGN33p6oS95dqfHgx780VS0+QLq/kwLcxwJhLZn1+ptA/NZgl2gUhXHt5IoFwfoSnOa5B5V5jQ/9mXsGXbFty6MNBoQiJcSTYzAB2KFjhgiUY4SHwf4k+FGBZxPWLQSJRlBcPvw1VWOj1UZYDbtTR3bqUj1AJzoRsFAqvnQxqGHpCI/BHzcQySXWpEbR+/cgh9BSj5Ld8ruX51n2+1FKvtDJq/Vy6XJ0Jw3u138gdmfX45KqumPd+Kw4ubp7jv+o3BHtxLsouLCjBL0JKk4Ms+8AFqAW/46I=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedAssertion>
</saml2p:Response>
12:50:52.262 - DEBUG [org.opensaml.ws.message.encoder.BaseMessageEncoder:56] - Successfully encoded message.
12:50:52.262 - INFO [Shibboleth-Audit:1028] - 20170504T105052Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|85qrvu7c1kmg1tsc0gqmk4a1u2k60qed|cloud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_f554e0c08f61f5c6d18529e5b2f16884|fabrice.pollet|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,transientId,|_fa7d6de2b4e946248d8f52c948470df6||
At the CloudStack SP the authentication failed:
2017-05-04 15:01:27,164 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) ===START=== 172.16.96.7 -- POST command=samlSso
2017-05-04 15:01:27,164 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) Session cookie is marked secure!
2017-05-04 15:01:27,219 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) Received SAMLResponse in response to id=vf4gl2406lrritgfmqqif535ssf7f2ns
2017-05-04 15:01:27,222 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) Authentication failure: <?xml version="1.0" encoding="UTF-8"?><loginresponse cloud-stack-version="4.9.2.0"><errorcode>531</errorcode><errortext>Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.</errortext></loginresponse>
2017-05-04 15:01:27,222 DEBUG [c.c.a.ApiServlet] (catalina-exec-8:ctx-70e81e62) (logid:2f838354) ===END=== 172.16.96.7 -- POST command=samlSso
Thank you again for your help.
Le 03/05/2017 11:17, Rohit Yadav a écrit :
Hi Fabrice,
Ensure that both SP and IdP server hosts have the same timezone/time settings. Consider setting up NTP on them etc.
Next, another reason it failed to log into CloudStack (even though I can see successful authentication at the IdP side) is that SP (cloudstack mgmt server) has incorrect IdP metadata or certificates to verify and decrypt the encrypted tokens in the saml2 response. Please verify this as well.
Regards.
rohit.yadav@shapeblue.com<ma...@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 02 May 2017 17:44:58
To: Rohit Yadav; users@cloudstack.apache.org<ma...@cloudstack.apache.org>; fabrice.pollet@etrs.fr<ma...@etrs.fr>
Subject: Re: Shibboleth and CloudStack
Hello,
Thank you very much for your answer.
Maybe I misunderstood because in my current configuration, CloudStack refers to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword without any modification and that corresponds to the native authentication of my IdP.
I wanted CloudStack to return to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser which corresponds to my SSO-CAS.
So I followed your hack but by modifying in /etc/cloudstack/management/idp-metadata.xml https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO by https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
This time CloudStack redirects well towards my SSO-CAS it is a progress. Unfortunately, authentication does not succeed.
Here are the logs of the IdP at the time of the connection:
11:09:55.290 - INFO [Shibboleth-Access:73] - 20170502T090955Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO|
11:09:55.378 - DEBUG [PROTOCOL_MESSAGE:74] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso>
ID="_3b1e03d6935882d3eb5d3f9242fb1426"
InResponseTo="ni2j9u3i4d749ask9434jsgon0i9g7u2"
IssueInstant="2017-05-02T09:09:55.320Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Id="_61daeafb4f216c1e291b2130c8b56a35"
Type="http://www.w3.org/2001/04/xmlenc#Element"<http://www.w3.org/2001/04/xmlenc#Element> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"<http://www.w3.org/2001/04/xmlenc#aes128-cbc> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"<http://www.w3.org/2000/09/xmldsig#>>
<xenc:EncryptedKey
Id="_bae1f2d4c0b08c4fa70aa7169117c880" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"<http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"<http://www.w3.org/2000/09/xmldsig#sha1> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"<http://www.w3.org/2000/09/xmldsig#>/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0
YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv
dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni
W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q
DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE
LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8
g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM
NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T
kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2
60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22
nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw
14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL
BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN
7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI
1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7
NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY
JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3
smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd
UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb
y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0
HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB
2HWwtuca</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:CipherValue>BwCwEsRgA3OFiHNpd3bfHAo5Q3zt6YlqbKlg9HRpL6U2ID2Hm7KI9FojAPS5JpSh14mreSNylN2myr9jUOJ+OpeCfRdjtSNuck3O/k42g/Eu5nNmzn9cFOSbFqSQXvsdYVzsbMeGID1J9cq5FfVeu6RcebZr7Ebo5tOTdJqmKi2BScB/fz8Yy/2p6xh/JWYhsVCeSwvHuHKrDYCFf5eg0XcoP/tgrA65U7P7utrKrjMgSq5Dn5XkaXc9L9+wov9VnpdKrRU2TENFdZIW5RO1PKc5nwP3/ivEkuYs2ax+lvvkYpNqEiAQyQmt1T1VvctyLC0MplMDX8YEMRIfhNAyJskYbp5rP1ZHGhfu76cVTzdt4AouCNvxRYPZ5uhy47jeEy0ZewEz65ImqGgKNoZ4FwH5UwTTHGZak5MJ3LmTd9bfwfz7sUK3TGsISdbFCVxkthQvGBmOHNHb8BbKaNUV8Px8DH0IV1jvCiXUBlzwFpnRjG06hSpmmllyu3WaQixPqZ1BjgjAOXrUdhxLrBRyXEbKeFdGxidJYcqQaBpn4H83ZNPBriQ3Ya39NJGkfkVlU8tvpif3tH1fNWJ0SBNDZWIUjyu4OKFxjiebsP2QF6miep9YscNffQdPt9k0h2siTQJCpH/DM2RMQOna/AKARUeyD39jsutvhpj3TQzplzw=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:CipherValue>KXBwY7UOS1KcHaNefUMtdK/6Jlmm78KYhs62nxNAectfTT5Sw3l289hLgeaIZ0RRsO1XqQk+ew43mMm6QaWjvcEDGij2C+TEGl2maIkhxpW71ZeeMyP6dAW78/TDJBJfLUEbTR1jb+q7hfJDKgMdyGfQ9ErEdvQjbz8vRMYiq7fdkNzqVTpXzcc7KXbpGtSQqyJYetAGFPx2wsJreeHsQPvIJrI42ER8LOLyv/FnXi+w4YXrzL14e0Qhmyry07Z8B6gC3DA+C8pmDs9xn99nEfAC6xZctDeIzC0+KpGav9NfACfvqs+X2DleZGckzsSomDxssiv4ArAbTSV/dRlbBUWfIGBgwALVhrBDyuCkBXrYNYqm7QF6bKSmAOlKVYC+lqFdI8CLHH7QiEO2S1UHYNRSIjUPXtef1CXGWM2jhmPYc51VBxsrcoY0ei0/nx9WVLcN5OHxnb8dz5Lm5yJJRa16k+7/rYDi8KvGTQj6jTEkQFjoxr7VeDHHAEdt5D8/Xm0PuvAXGTEvOntlaLbXkMqFxBe9usAkFqf6CRm3Qin2O7dUuipWJVZE1f7gnZyGCV0woVgnSQ2vo5quz5ABveXzlsuypMkD/bwavgLYNQR9c4eIJDqcUlPC2zm5XM18mgdxxQpp90E3Kb29j1OGfDh6F35x2rYg3k1/jJeMlDlbANprwyw1eM+qGijDcdYNoJEMRF9Utpt1ePDSOhBBPyPiTg7lgBo0m/gBnHR26TTTDGMruCm7SSNrYJIf1KR6HFalEaUZn7kpSBINkyoCOOyW78L8pqy0+m1ZcCfsYBzHsSd8kXyavYESCGIB58oIzPFB7VK1SiKrWvZCRkXw0AZllfy3cntpGopCBopjivUxycsNHPTIp0sZDpkpRC9it3vGcJDIueuPoco1cdoM05gTLg2rNU7StPukDAwKZSRJ2RY0kN cnoeNIoQL c5IAM4PuCFk FhOQYVAI+ dmIxc5F74uDctiONoNX6zVyp3OSZHiNoN/WrSkA7OsefciO+DaU1XLc87CSqvR8eOG41VjSlxpzkHBjUOiOtz52BKlFtuDLlKFX/5W6XQYNHp69PhYjuXd6vryvNWSPVgoVDJ5R10s+W2JvnQXlgD0MVlgJQs905+yi1fugYYYuA2P0NIEu3/Ky4U4CLxmGM3NIAkTWpjpFhHxv8il3x4TLPs2BB49gV1FOF3E5oXYg37bY1k0aeJA/DDxm2QXLP31Q4jdOAwdL5o6gIbeHV2g4WEUeMHg3zMfuL3jcJi/JA7A6MJEDyYCC32Z42DfUYgocmIwlOTs6y2ujxKqAWfKYC9n6bu5Wxj2zU8dZlmA7Os1UYZZbz9ZaRFMp3aN31/x1dasSP2yCoLpcjgiWsQDTBOn596V9OXmK14Z6K/+Ba51dfT3UWc4vTSb603AB0yNV4Y4vclSFxM47qPb2kU2qtgZyEOVKDy6OekNVW+az8+IitTH/f2Fk+HgM4Ro6MrCLkjbwvriL3NZmIcTm3eV3cGDf752fmDI/wYXc8tMXMcNQQo+S8Gf76rLy9TffWX4DvIPQkG4o278c1RRwl58+O1arAcsAvhMNGiwzHDVhTCrzVWebifphXBzOjDN3cNm4I0HC/nmiuWprQy7IAkNatmQIRa5AevmmFYNd5rSvptyxVPBLcCCWxXcgB8nAosQp2nsTsE01UTfptvEPDPwc3BPbc8S4I2o5hhE5LCDquDmi3o5VbBmEGoOlt8pcpvtF99ogvSYo9nXPjt8XMwxWyfR52ch4XbGqLXrSiQejGBwhMeIj02wdiEZU3jI7VyCvidZIbAfSwIFb7M0zke/zNK0rYLMqiRM/T6IeBCBd+a+F6afyokHEDO7jQsCAsQ+AtQwfAgCeoZO9X7Tn1gDKBBLMoIhAcXJaVvwIdd52DliYffnK906NaT64M+KBKGLESDyJJJ2 mJQd/E0mo svNUHOJ13bV cR5qPFT2v p0hnodqi4q8wEdv7jGlYt8qOpVgmNgMT9hBtuS3dDoQ0wRKao2XpXIAUjW/SbCEG4FwzlTZR6a9oMd3WoU3YQr5+nsGM6ryzW3vZzt3zkQqCiuwgd86MhVJ+N1HGOQr7ZUWUsd42BXXpWEfpDFWMtke4apztJwrYS9YnOpH6dOkCgu5uKelChsSMaov+Undj9ioejbd7pta9J2TYsO14cq6Hv+G++TjNfP5O4XcOU804xIRCRZwC/jIrbkJMQ9XKYPwjsrhwBo1eC3eXeUCFvmr4yOfVoEAKWp9Go59wIEC8fPFdU6UUNSUYDchZa9l7tS+N7iZu4fcVmye6m8uKqsBQww8Fbk1kS06K5/QXD1T14H5bzs6eR+QHEsRoqDxR1+WNYjZm+c1qTd5eu5f1N+tWkmXmn0ko34QUUOjwR7JRPum6WTizh57S/aCYxNjx2qPk2QYXIP1tNXGkOTc7qq/u3fc+KGN8wEsLwfbd2j0n1fAsWbxv6q/RBdgIzl142W+m4EEoHKrOhctI3VOi+xoEcoCF/AQuTsBm3617qfZcWRqFR0t0RVivCo9jutqXmkTdkIWbLW+elocN/lYNXRgOO+VtK8E39NQ2wbwYh2vCoqrNB61+MAketA/2UBblTBKnPe0ipYRV0isSQXoxVlRLfAAfqXES9DyRsCmu9vlnYxT0cyeHlgT8czCWypSRwxSX9V3tWxQVuXaktxIE5wU9VGOQzieP0z1EA5Plr5e2FbdtsS87eEC5yvYVLccEU4ni44HCGFqPUNHnMJtjGtqoSq56SBeBEy8WQVUB3PSckRnZE9F5/BYyACiSdw3E1EIB0algS/LuotpijriG2JODouCnFleVcraMdp2VweqDH3pxjRQbOdboyj7n2YuYR+RrDspwnjczmiiiL9+708PwZnGie+etvYTDFoKIHURQVLxid9mS87JBcpfzIXKPxSS89HdTk2 jvFXR4VmU VYA0nJ4VJzy CWnArSZJp fvhyhuydFXAOhhE3tDqIJ120kXarGnaF1Yp2ZBZuX4UsV/jR1R6faqYTc7ynAzEnQ4zGj9d20O/4exiK9DRMGBaRYP4R6DRRDyKqC2Cqt2N2O4fcxYOfKeMNTmwHDBAU0tBlsZDCSHl/3Hr5eHdUXEH8D1AaF9rWvq3SI/aV0cSoyk7eIZ2AGzRs9lljHLoa6U65ichrz//1CueBDKc1pcomDTfAt1uSmeBe/cCNjhdpaB2dokgRUxNXGPENAtSYpoZrfBp/jjxUy83rdDVc5aW2qTnM9UQi3XJFv02jDIlTmIVI3+cDZQTHieExXCBgsAXMCcncEXY8Q2bDd1IUkDlTzUWf8lbr6YbDzmxYP2SFIXSjzAWRKIHKRGnLuETUw6FS9fpc4101VdkGVicv09RQsg3n1SHHmvmEH0HxxwZD4OgmSNKDmsfBLGaANEA0Ke+tDzIjQO2QjpLS9p7PsarE126WPvNHa1mNss0G22SI1s60xXYbcjFBXktT99m6ofIS36e4mLwH7F9NFWuKNqxofjoVtvcKcru3OeaChm+jl3ZcMEJPbQf8xBAvYWwGc3QJSpGw1NSbIO5sOeT/CjMjKux02nvFg0nBceRbTZ05cPjSErS2HwleXXEsicXgp9bcFf4oRGWNCVIvkItkUNijg/Rl9Y7xNv+ZVUCkN3DyOmg4GhzNnIFGDAPpqDXzx7uyLApSiWJe39VDq76muNOw0UQ7r6p7YUv7pGxJ7fjan8h97uBtdkZLHv4nOcZUFesMykAmy6cd1vIe41rujylDs+dTkYWsoIuLV71zqMGhufLyew7nSxX5kK+9wkPzxvF6o7HHXKOGr5oGVxV5/S6wmbZ4lGoUeRrYaYPIEnkhKDlikug6gXngK1Xrr7qd4pRLW2p2LRaYYk5wdlI3DucQuDbu1u6393Rv7AL0ZGVcQm2qWOMUiLT2V8VK4iy6lenFCX4zck 623fOxs7y 1EsyVyV0DIV RWXQODN9J HzVXQfBOrO7zY/91W8PwAYOy0hbw7uT/ZzKTMzGsEZN6ftGct5K/GiwoRyA/RV9edo1ghsNjjyuMp3IvGitp+IKPIZ1D+I9uZVygclePhSlxPZ4ceasZEExxyPNCVyvH1GJ3gMKW8WX2nuIU1ODESUcnRz40IMIFrnzgFpk//xzhoX7jk/90lBCntvb2xVaEk7+YKS2791ePmt+aydoaeYBiuR8lj8kpm9gTBQPtIFG6igBIHfP6Qh/hrg23ZIQ15CMBxD7ZlJCpxPzD+g9/ZJYj2iaiONOecN2F+pI07cxmWYbl3z6FhBysQAcF5KU10GjCjdoVyGBnvLAWlA8/PIbcTFvFAMNq/r8I2RXRRvZK1f+WYAzuvYkQ6FvNxTvyBZ5W3ywg0UTOIXhJYSxj3fhmT7S57PWgsLQQc2GCgspwsacQFtcD9FJNydvCyPi5eBt+OHZ8gjw+MJs8pHyK6Rs/Hwr62TPnwwNizTTe+dWrWwSdlYNFRnG5MhCVw4dfKo5rzCtABN3H7qpUGt94/DeiGKPm5dVmZUYZk3wv4wQfxsn5VlKeZxeowwql3KgYdyyHxYVWZSmFi87roxYAdFz+UAZtxnWN8YejkwQKYAcbdCZhLllzRJX/bqtCgtfCgl+coeP7OSR6eqP+YPlE5RoXrKEAz544jyLRUcbw6iiIeLTozHiTwIubRji0bxJybFr48ePKsDyIW2xpY7YjpRXVc2xOOzJE+ZXbymD/8LSdR42c0nNBW+sIgGP0raVpLATxr35bj9B+vh37oTnVEN4JyYgrVvhjlhlErnaLFIZ0G2U73tjiJD/361q62PPBC4jWeDHNK5VnNe4pPIczsYEwwQTh2EtAtpn0CCKn179HRGl5mlj9LhX3JzaZPGEmDPzS0JfiU15YxlAlgrG35x5mahZcc/oHjZyZc7XVqwlPk0GCdAGhfrnRwcedDwVsGGvNg49ciq dCjPREKkn XMqFO+KAq+w 2kePK+OMi 3+rKzgWhurgI/hvpb+ucwhF5KpraIfJdzoTiwWYnxSGww2EJRXq/0ozIyQB9DZmOCD5tcHnKFjCjudgtiIbdBLmzxeNwG3SgDqPkkn31KK9jobWO5PGjCPUc6AvUD4GSYhw9En4xkRbsbbRztGCrXfpa0NpMysbo71YruK1gc9dccnwdSxTDZZEoxH8FqR6hUt5PAAxLi30UX5vqq9gXObzmlExIgeopyU2XkMIaa/HtAKPpCrZpeFQcbDC+bfos1vYUnGfVennTaFch47rWARdgLI1dGqq88lrJhfzKhS+ZWKHMDbdKs5OgNmvIt5kTWpbeie4qPW2volholu5wrmBz9Tpuhx7gwg/Zp3PeLCoPkvXCRAqQQKtZsnP+xKVW9+cugIN4GKLf60DbK897RRJcTP14nRo+tgYfdR2gKgZaiPNGXjz7wFUK7ApxSPEF//LBoLOOwSURVk4ckpPbam5M5KZydcAMRTxHbNUXlTPpcTCd/XkU0A/hsqVMvYBru2dcS0I9CQ4tfb8I2OTIZ2webSvgw0UjZmf+LHVRWiIhY+hMJ5aVpoLa3sVm22j9Yq+ZYIm+QbrRjJFBejzjeMgC8vJiL6hBgeEQDmInnpnYmR2AW6ZTjfNyyGTwwSCN9IqvJ5frJ9GAFv9PDnY78/tZuymXzzVaMxQPSqYsw+EXPTbn3onlJCoOUClG41s/kdwqebFguxUSm6MKZiEqirmY8VCalLF/W++jtQZbIeL8atplGe8A4R8dxIE25ArF3XXNykuGZQoJdlSZC/ZgNv6usBFUzZEuyB/luTkMW0V9dGO2otxR3xSYAR5d+mAzZsllaH/fOPD/904LijaO1+K8REwr3uUNe8hDZaErCTbnL09feZISe6+NykTw5runFqbiOlgGP6qvjc/qFLJy65LiQMj1+fWaz87UkshQH4nqOOROLFRP7HbeJI9UcXXoRQ2e/l2iDC 5gDaM7xmm A7HE91vLD4X CT6W5obbS C5t9COUSU88UubAzXX+DjFtRL/e0E94/nfpKiFDsRlWJJwKIFybBqezGksdmU21VEh/Z7vzNRvlmAAsz6vepof4cNL4PkHOhn8BSnFI6wDZahPj9WzIZ7ePeUkz5NpTdYfqX6VcHzANAgiygeLx8EaT9dCaOPj3PEGU/QkCcFKFcY1l8LGGUUW8Rudje0MRarcRh+ms51nwuoCAB5Gr+73GYb+2Ir3DYQme3ym0zGfsqTl8gR707/lvdxgVP3ShqSwvD6tr0rgd1r5pG8BESQbak9bFdq6cNZpTLVQ3/AsOd7FBdlWlPCE6I9eU70NNQy3iKxJljVb//5xrcjEDa9ulQc=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedAssertion>
</saml2p:Response>
11:09:55.379 - INFO [Shibboleth-Audit:1028] - 20170502T090955Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ni2j9u3i4d749ask9434jsgon0i9g7u2|cloud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3b1e03d6935882d3eb5d3f9242fb1426|fabrice.pollet|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,transientId,|_9d5c99cfc524cd833e5e19406c95538e||
Here are the CloudStack logs:
2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===START=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json
2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Session cookie is marked secure!
2017-05-02 10:10:10,735 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Sending SAMLRequest id=mdp1ikdn2elvck5uilfbs266ahop200v
2017-05-02 10:10:10,903 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===END=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json
Here is the error in the browser: https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso :
<loginresponse cloud-stack-version="4.9.2.0"><errorcode>531</errorcode><errortext>Received SAML response for a SSO request that we may not have made or has expired, please try logging in again</errortext></loginresponse>
Thank you again for your time.
Le 28/04/2017 11:23, Rohit Yadav a écrit :
Hi Fabrice,
I looked at the IdP XML, with the SAML2 plugin enabled/configured in CloudStack when users click on login they will be redirected to https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO (with a saml token). After this, I'm not sure how your setup/IdP should behave on handling the redirection or use of the REMOTE_USER environment variable.
A sort of a hack you can try is to replace the SSO URL in your xml file (saved in /etc/cloudstack/management/) to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword and see if that works for you.
Regards.
rohit.yadav@shapeblue.com<ma...@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 27 April 2017 14:30:53
To: Rohit Yadav; users@cloudstack.apache.org<ma...@cloudstack.apache.org>; fabrice.pollet@etrs.fr<ma...@etrs.fr>
Subject: Re: Shibboleth and CloudStack
I tried your solution to save the IdP metadata in file /etc/cloudstack/management/idp-metadata.xml and I found my IdP in the selection proposed by CloudStack. In any case it shows me the possibility of adding other IdP and that is very good.
However, I come back to the same situation. My Cloud refers to the native authentication of my IdP instead of the SSO-CAS.
I specify that my IdP has been working since 2015 with the Federation RENATER and that its external services are well redirected to our SSO-CAS.
Maybe a REMOTE_USER environment variable problem between the SP and the IdP?
Le 27/04/2017 09:10, Fabrice Pollet a écrit :
Hello,
The IdP metadata can also be read at this public URL https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.
The SP metadata is not public at the moment (see attached).
For me the redirection should be done towards https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword.
My IdP server has the SP metadata (the "backingFile" is filled automatically).
I will try your workaround.
I would like to inform you and thank you in advance.
Regards,
Le 26/04/2017 17:29, Rohit Yadav a écrit :
Hi Fabrice,
I could not open the URLs (they are not public) so cannot verify the XML metadata.
The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect binding only.
If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be one of the allowed SSO http-redirect based endpoints.
You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata") added/enabled; you can download and save the IdP metadata (make any URL modification that you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without the quotes). Then, restart the mgmt server(s), it will read the metadata from this file location instead of the URL.
The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation it will retrieve and list all the available SSO site, for example search for CAFe saml federation).
Regards.
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 26 April 2017 17:31:46
To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
Subject: Shibboleth and CloudStack
Hello,
I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
as a service provider (SP) to our own identity provider Shibboleth 2.4.4
(IdP - Authentication Service and Authorization based on XML).
I have completed the following CloudStack SAML2 settings:
saml2.append.idpdomain = false
saml2.default.idpid = néant
saml2.enabled = true
saml2.idp.metadata.url =
http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
<http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
saml2.sigalg = SHA256
saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
saml2.sp.slo.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
saml2.sp.sso.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
saml2.user.attribute = uid
But the URL SSO-SAML2
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
returns me to the native authentication URL of our IdP
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
instead of the SSO-CAS delegation URL
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
The meta data of my SP are listed in my IdP (from the configuration file
relying-party.xml):
<!-- Metadonnées de ETRS CloudStack -->
<metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
</metadata:MetadataProvider>
Thank you for your help.
--
IEF MINDEF POLLET Fabrice
TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
COMSIC BP18 35998 RENNES 9 France
821 354 34 82 / 02 99 84 34 82
fabrice.pollet@etrs.fr<ma...@etrs.fr> (Internet)
fabrice-c.pollet@intradef.gouv.fr<ma...@intradef.gouv.fr> (Intradef)
rohit.yadav@shapeblue.com<ma...@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue
--
IEF MINDEF POLLET Fabrice
TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
COMSIC BP18 35998 RENNES 9 France
821 354 34 82 / 02 99 84 34 82
fabrice.pollet@etrs.fr<ma...@etrs.fr> (Internet)
fabrice-c.pollet@intradef.gouv.fr<ma...@intradef.gouv.fr> (Intradef)
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: Shibboleth and CloudStack
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Fabrice,
Ensure that both SP and IdP server hosts have the same timezone/time settings. Consider setting up NTP on them etc.
Next, another reason it failed to log into CloudStack (even though I can see successful authentication at the IdP side) is that SP (cloudstack mgmt server) has incorrect IdP metadata or certificates to verify and decrypt the encrypted tokens in the saml2 response. Please verify this as well.
Regards.
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 02 May 2017 17:44:58
To: Rohit Yadav; users@cloudstack.apache.org; fabrice.pollet@etrs.fr
Subject: Re: Shibboleth and CloudStack
Hello,
Thank you very much for your answer.
Maybe I misunderstood because in my current configuration, CloudStack refers to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword without any modification and that corresponds to the native authentication of my IdP.
I wanted CloudStack to return to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser which corresponds to my SSO-CAS.
So I followed your hack but by modifying in /etc/cloudstack/management/idp-metadata.xml https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO by https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
This time CloudStack redirects well towards my SSO-CAS it is a progress. Unfortunately, authentication does not succeed.
Here are the logs of the IdP at the time of the connection:
11:09:55.290 - INFO [Shibboleth-Access:73] - 20170502T090955Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO|
11:09:55.378 - DEBUG [PROTOCOL_MESSAGE:74] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso>
ID="_3b1e03d6935882d3eb5d3f9242fb1426"
InResponseTo="ni2j9u3i4d749ask9434jsgon0i9g7u2"
IssueInstant="2017-05-02T09:09:55.320Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:EncryptedAssertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Id="_61daeafb4f216c1e291b2130c8b56a35"
Type="http://www.w3.org/2001/04/xmlenc#Element"<http://www.w3.org/2001/04/xmlenc#Element> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"<http://www.w3.org/2001/04/xmlenc#aes128-cbc> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"<http://www.w3.org/2000/09/xmldsig#>>
<xenc:EncryptedKey
Id="_bae1f2d4c0b08c4fa70aa7169117c880" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"<http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"<http://www.w3.org/2000/09/xmldsig#sha1> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"<http://www.w3.org/2000/09/xmldsig#>/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0
YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv
dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni
W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q
DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE
LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8
g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM
NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T
kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2
60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22
nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw
14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL
BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN
7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI
1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7
NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY
JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3
smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd
UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb
y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0
HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB
2HWwtuca</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:CipherValue>BwCwEsRgA3OFiHNpd3bfHAo5Q3zt6YlqbKlg9HRpL6U2ID2Hm7KI9FojAPS5JpSh14mreSNylN2myr9jUOJ+OpeCfRdjtSNuck3O/k42g/Eu5nNmzn9cFOSbFqSQXvsdYVzsbMeGID1J9cq5FfVeu6RcebZr7Ebo5tOTdJqmKi2BScB/fz8Yy/2p6xh/JWYhsVCeSwvHuHKrDYCFf5eg0XcoP/tgrA65U7P7utrKrjMgSq5Dn5XkaXc9L9+wov9VnpdKrRU2TENFdZIW5RO1PKc5nwP3/ivEkuYs2ax+lvvkYpNqEiAQyQmt1T1VvctyLC0MplMDX8YEMRIfhNAyJskYbp5rP1ZHGhfu76cVTzdt4AouCNvxRYPZ5uhy47jeEy0ZewEz65ImqGgKNoZ4FwH5UwTTHGZak5MJ3LmTd9bfwfz7sUK3TGsISdbFCVxkthQvGBmOHNHb8BbKaNUV8Px8DH0IV1jvCiXUBlzwFpnRjG06hSpmmllyu3WaQixPqZ1BjgjAOXrUdhxLrBRyXEbKeFdGxidJYcqQaBpn4H83ZNPBriQ3Ya39NJGkfkVlU8tvpif3tH1fNWJ0SBNDZWIUjyu4OKFxjiebsP2QF6miep9YscNffQdPt9k0h2siTQJCpH/DM2RMQOna/AKARUeyD39jsutvhpj3TQzplzw=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"<http://www.w3.org/2001/04/xmlenc#>>
<xenc:CipherValue>KXBwY7UOS1KcHaNefUMtdK/6Jlmm78KYhs62nxNAectfTT5Sw3l289hLgeaIZ0RRsO1XqQk+ew43mMm6QaWjvcEDGij2C+TEGl2maIkhxpW71ZeeMyP6dAW78/TDJBJfLUEbTR1jb+q7hfJDKgMdyGfQ9ErEdvQjbz8vRMYiq7fdkNzqVTpXzcc7KXbpGtSQqyJYetAGFPx2wsJreeHsQPvIJrI42ER8LOLyv/FnXi+w4YXrzL14e0Qhmyry07Z8B6gC3DA+C8pmDs9xn99nEfAC6xZctDeIzC0+KpGav9NfACfvqs+X2DleZGckzsSomDxssiv4ArAbTSV/dRlbBUWfIGBgwALVhrBDyuCkBXrYNYqm7QF6bKSmAOlKVYC+lqFdI8CLHH7QiEO2S1UHYNRSIjUPXtef1CXGWM2jhmPYc51VBxsrcoY0ei0/nx9WVLcN5OHxnb8dz5Lm5yJJRa16k+7/rYDi8KvGTQj6jTEkQFjoxr7VeDHHAEdt5D8/Xm0PuvAXGTEvOntlaLbXkMqFxBe9usAkFqf6CRm3Qin2O7dUuipWJVZE1f7gnZyGCV0woVgnSQ2vo5quz5ABveXzlsuypMkD/bwavgLYNQR9c4eIJDqcUlPC2zm5XM18mgdxxQpp90E3Kb29j1OGfDh6F35x2rYg3k1/jJeMlDlbANprwyw1eM+qGijDcdYNoJEMRF9Utpt1ePDSOhBBPyPiTg7lgBo0m/gBnHR26TTTDGMruCm7SSNrYJIf1KR6HFalEaUZn7kpSBINkyoCOOyW78L8pqy0+m1ZcCfsYBzHsSd8kXyavYESCGIB58oIzPFB7VK1SiKrWvZCRkXw0AZllfy3cntpGopCBopjivUxycsNHPTIp0sZDpkpRC9it3vGcJDIueuPoco1cdoM05gTLg2rNU7StPukDAwKZSRJ2RY0kNcnoeNIoQLc5IAM4PuCFk FhOQYVAI+ dmIxc5F74uDctiONoNX6zVyp3OSZHiNoN/WrSkA7OsefciO+DaU1XLc87CSqvR8eOG41VjSlxpzkHBjUOiOtz52BKlFtuDLlKFX/5W6XQYNHp69PhYjuXd6vryvNWSPVgoVDJ5R10s+W2JvnQXlgD0MVlgJQs905+yi1fugYYYuA2P0NIEu3/Ky4U4CLxmGM3NIAkTWpjpFhHxv8il3x4TLPs2BB49gV1FOF3E5oXYg37bY1k0aeJA/DDxm2QXLP31Q4jdOAwdL5o6gIbeHV2g4WEUeMHg3zMfuL3jcJi/JA7A6MJEDyYCC32Z42DfUYgocmIwlOTs6y2ujxKqAWfKYC9n6bu5Wxj2zU8dZlmA7Os1UYZZbz9ZaRFMp3aN31/x1dasSP2yCoLpcjgiWsQDTBOn596V9OXmK14Z6K/+Ba51dfT3UWc4vTSb603AB0yNV4Y4vclSFxM47qPb2kU2qtgZyEOVKDy6OekNVW+az8+IitTH/f2Fk+HgM4Ro6MrCLkjbwvriL3NZmIcTm3eV3cGDf752fmDI/wYXc8tMXMcNQQo+S8Gf76rLy9TffWX4DvIPQkG4o278c1RRwl58+O1arAcsAvhMNGiwzHDVhTCrzVWebifphXBzOjDN3cNm4I0HC/nmiuWprQy7IAkNatmQIRa5AevmmFYNd5rSvptyxVPBLcCCWxXcgB8nAosQp2nsTsE01UTfptvEPDPwc3BPbc8S4I2o5hhE5LCDquDmi3o5VbBmEGoOlt8pcpvtF99ogvSYo9nXPjt8XMwxWyfR52ch4XbGqLXrSiQejGBwhMeIj02wdiEZU3jI7VyCvidZIbAfSwIFb7M0zke/zNK0rYLMqiRM/T6IeBCBd+a+F6afyokHEDO7jQsCAsQ+AtQwfAgCeoZO9X7Tn1gDKBBLMoIhAcXJaVvwIdd52DliYffnK906NaT64M+KBKGLESDyJJJ2mJQd/E0mosvNUHOJ13bV cR5qPFT2v p0hnodqi4q8wEdv7jGlYt8qOpVgmNgMT9hBtuS3dDoQ0wRKao2XpXIAUjW/SbCEG4FwzlTZR6a9oMd3WoU3YQr5+nsGM6ryzW3vZzt3zkQqCiuwgd86MhVJ+N1HGOQr7ZUWUsd42BXXpWEfpDFWMtke4apztJwrYS9YnOpH6dOkCgu5uKelChsSMaov+Undj9ioejbd7pta9J2TYsO14cq6Hv+G++TjNfP5O4XcOU804xIRCRZwC/jIrbkJMQ9XKYPwjsrhwBo1eC3eXeUCFvmr4yOfVoEAKWp9Go59wIEC8fPFdU6UUNSUYDchZa9l7tS+N7iZu4fcVmye6m8uKqsBQww8Fbk1kS06K5/QXD1T14H5bzs6eR+QHEsRoqDxR1+WNYjZm+c1qTd5eu5f1N+tWkmXmn0ko34QUUOjwR7JRPum6WTizh57S/aCYxNjx2qPk2QYXIP1tNXGkOTc7qq/u3fc+KGN8wEsLwfbd2j0n1fAsWbxv6q/RBdgIzl142W+m4EEoHKrOhctI3VOi+xoEcoCF/AQuTsBm3617qfZcWRqFR0t0RVivCo9jutqXmkTdkIWbLW+elocN/lYNXRgOO+VtK8E39NQ2wbwYh2vCoqrNB61+MAketA/2UBblTBKnPe0ipYRV0isSQXoxVlRLfAAfqXES9DyRsCmu9vlnYxT0cyeHlgT8czCWypSRwxSX9V3tWxQVuXaktxIE5wU9VGOQzieP0z1EA5Plr5e2FbdtsS87eEC5yvYVLccEU4ni44HCGFqPUNHnMJtjGtqoSq56SBeBEy8WQVUB3PSckRnZE9F5/BYyACiSdw3E1EIB0algS/LuotpijriG2JODouCnFleVcraMdp2VweqDH3pxjRQbOdboyj7n2YuYR+RrDspwnjczmiiiL9+708PwZnGie+etvYTDFoKIHURQVLxid9mS87JBcpfzIXKPxSS89HdTk2jvFXR4VmUVYA0nJ4VJzy CWnArSZJp fvhyhuydFXAOhhE3tDqIJ120kXarGnaF1Yp2ZBZuX4UsV/jR1R6faqYTc7ynAzEnQ4zGj9d20O/4exiK9DRMGBaRYP4R6DRRDyKqC2Cqt2N2O4fcxYOfKeMNTmwHDBAU0tBlsZDCSHl/3Hr5eHdUXEH8D1AaF9rWvq3SI/aV0cSoyk7eIZ2AGzRs9lljHLoa6U65ichrz//1CueBDKc1pcomDTfAt1uSmeBe/cCNjhdpaB2dokgRUxNXGPENAtSYpoZrfBp/jjxUy83rdDVc5aW2qTnM9UQi3XJFv02jDIlTmIVI3+cDZQTHieExXCBgsAXMCcncEXY8Q2bDd1IUkDlTzUWf8lbr6YbDzmxYP2SFIXSjzAWRKIHKRGnLuETUw6FS9fpc4101VdkGVicv09RQsg3n1SHHmvmEH0HxxwZD4OgmSNKDmsfBLGaANEA0Ke+tDzIjQO2QjpLS9p7PsarE126WPvNHa1mNss0G22SI1s60xXYbcjFBXktT99m6ofIS36e4mLwH7F9NFWuKNqxofjoVtvcKcru3OeaChm+jl3ZcMEJPbQf8xBAvYWwGc3QJSpGw1NSbIO5sOeT/CjMjKux02nvFg0nBceRbTZ05cPjSErS2HwleXXEsicXgp9bcFf4oRGWNCVIvkItkUNijg/Rl9Y7xNv+ZVUCkN3DyOmg4GhzNnIFGDAPpqDXzx7uyLApSiWJe39VDq76muNOw0UQ7r6p7YUv7pGxJ7fjan8h97uBtdkZLHv4nOcZUFesMykAmy6cd1vIe41rujylDs+dTkYWsoIuLV71zqMGhufLyew7nSxX5kK+9wkPzxvF6o7HHXKOGr5oGVxV5/S6wmbZ4lGoUeRrYaYPIEnkhKDlikug6gXngK1Xrr7qd4pRLW2p2LRaYYk5wdlI3DucQuDbu1u6393Rv7AL0ZGVcQm2qWOMUiLT2V8VK4iy6lenFCX4zck623fOxs7y1EsyVyV0DIV RWXQODN9J HzVXQfBOrO7zY/91W8PwAYOy0hbw7uT/ZzKTMzGsEZN6ftGct5K/GiwoRyA/RV9edo1ghsNjjyuMp3IvGitp+IKPIZ1D+I9uZVygclePhSlxPZ4ceasZEExxyPNCVyvH1GJ3gMKW8WX2nuIU1ODESUcnRz40IMIFrnzgFpk//xzhoX7jk/90lBCntvb2xVaEk7+YKS2791ePmt+aydoaeYBiuR8lj8kpm9gTBQPtIFG6igBIHfP6Qh/hrg23ZIQ15CMBxD7ZlJCpxPzD+g9/ZJYj2iaiONOecN2F+pI07cxmWYbl3z6FhBysQAcF5KU10GjCjdoVyGBnvLAWlA8/PIbcTFvFAMNq/r8I2RXRRvZK1f+WYAzuvYkQ6FvNxTvyBZ5W3ywg0UTOIXhJYSxj3fhmT7S57PWgsLQQc2GCgspwsacQFtcD9FJNydvCyPi5eBt+OHZ8gjw+MJs8pHyK6Rs/Hwr62TPnwwNizTTe+dWrWwSdlYNFRnG5MhCVw4dfKo5rzCtABN3H7qpUGt94/DeiGKPm5dVmZUYZk3wv4wQfxsn5VlKeZxeowwql3KgYdyyHxYVWZSmFi87roxYAdFz+UAZtxnWN8YejkwQKYAcbdCZhLllzRJX/bqtCgtfCgl+coeP7OSR6eqP+YPlE5RoXrKEAz544jyLRUcbw6iiIeLTozHiTwIubRji0bxJybFr48ePKsDyIW2xpY7YjpRXVc2xOOzJE+ZXbymD/8LSdR42c0nNBW+sIgGP0raVpLATxr35bj9B+vh37oTnVEN4JyYgrVvhjlhlErnaLFIZ0G2U73tjiJD/361q62PPBC4jWeDHNK5VnNe4pPIczsYEwwQTh2EtAtpn0CCKn179HRGl5mlj9LhX3JzaZPGEmDPzS0JfiU15YxlAlgrG35x5mahZcc/oHjZyZc7XVqwlPk0GCdAGhfrnRwcedDwVsGGvNg49ciqdCjPREKknXMqFO+KAq+w 2kePK+OMi 3+rKzgWhurgI/hvpb+ucwhF5KpraIfJdzoTiwWYnxSGww2EJRXq/0ozIyQB9DZmOCD5tcHnKFjCjudgtiIbdBLmzxeNwG3SgDqPkkn31KK9jobWO5PGjCPUc6AvUD4GSYhw9En4xkRbsbbRztGCrXfpa0NpMysbo71YruK1gc9dccnwdSxTDZZEoxH8FqR6hUt5PAAxLi30UX5vqq9gXObzmlExIgeopyU2XkMIaa/HtAKPpCrZpeFQcbDC+bfos1vYUnGfVennTaFch47rWARdgLI1dGqq88lrJhfzKhS+ZWKHMDbdKs5OgNmvIt5kTWpbeie4qPW2volholu5wrmBz9Tpuhx7gwg/Zp3PeLCoPkvXCRAqQQKtZsnP+xKVW9+cugIN4GKLf60DbK897RRJcTP14nRo+tgYfdR2gKgZaiPNGXjz7wFUK7ApxSPEF//LBoLOOwSURVk4ckpPbam5M5KZydcAMRTxHbNUXlTPpcTCd/XkU0A/hsqVMvYBru2dcS0I9CQ4tfb8I2OTIZ2webSvgw0UjZmf+LHVRWiIhY+hMJ5aVpoLa3sVm22j9Yq+ZYIm+QbrRjJFBejzjeMgC8vJiL6hBgeEQDmInnpnYmR2AW6ZTjfNyyGTwwSCN9IqvJ5frJ9GAFv9PDnY78/tZuymXzzVaMxQPSqYsw+EXPTbn3onlJCoOUClG41s/kdwqebFguxUSm6MKZiEqirmY8VCalLF/W++jtQZbIeL8atplGe8A4R8dxIE25ArF3XXNykuGZQoJdlSZC/ZgNv6usBFUzZEuyB/luTkMW0V9dGO2otxR3xSYAR5d+mAzZsllaH/fOPD/904LijaO1+K8REwr3uUNe8hDZaErCTbnL09feZISe6+NykTw5runFqbiOlgGP6qvjc/qFLJy65LiQMj1+fWaz87UkshQH4nqOOROLFRP7HbeJI9UcXXoRQ2e/l2iDC5gDaM7xmmA7HE91vLD4X CT6W5obbS C5t9COUSU88UubAzXX+DjFtRL/e0E94/nfpKiFDsRlWJJwKIFybBqezGksdmU21VEh/Z7vzNRvlmAAsz6vepof4cNL4PkHOhn8BSnFI6wDZahPj9WzIZ7ePeUkz5NpTdYfqX6VcHzANAgiygeLx8EaT9dCaOPj3PEGU/QkCcFKFcY1l8LGGUUW8Rudje0MRarcRh+ms51nwuoCAB5Gr+73GYb+2Ir3DYQme3ym0zGfsqTl8gR707/lvdxgVP3ShqSwvD6tr0rgd1r5pG8BESQbak9bFdq6cNZpTLVQ3/AsOd7FBdlWlPCE6I9eU70NNQy3iKxJljVb//5xrcjEDa9ulQc=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedAssertion>
</saml2p:Response>
11:09:55.379 - INFO [Shibboleth-Audit:1028] - 20170502T090955Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ni2j9u3i4d749ask9434jsgon0i9g7u2|cloud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3b1e03d6935882d3eb5d3f9242fb1426|fabrice.pollet|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,transientId,|_9d5c99cfc524cd833e5e19406c95538e||
Here are the CloudStack logs:
2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===START=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json
2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Session cookie is marked secure!
2017-05-02 10:10:10,735 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Sending SAMLRequest id=mdp1ikdn2elvck5uilfbs266ahop200v
2017-05-02 10:10:10,903 DEBUG [c.c.a.ApiServlet] (catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===END=== 172.16.96.7 -- GET command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json
Here is the error in the browser: https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso :
<loginresponse cloud-stack-version="4.9.2.0"><errorcode>531</errorcode><errortext>Received SAML response for a SSO request that we may not have made or has expired, please try logging in again</errortext></loginresponse>
Thank you again for your time.
Le 28/04/2017 11:23, Rohit Yadav a écrit :
Hi Fabrice,
I looked at the IdP XML, with the SAML2 plugin enabled/configured in CloudStack when users click on login they will be redirected to https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO (with a saml token). After this, I'm not sure how your setup/IdP should behave on handling the redirection or use of the REMOTE_USER environment variable.
A sort of a hack you can try is to replace the SSO URL in your xml file (saved in /etc/cloudstack/management/) to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword and see if that works for you.
Regards.
rohit.yadav@shapeblue.com<ma...@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 27 April 2017 14:30:53
To: Rohit Yadav; users@cloudstack.apache.org<ma...@cloudstack.apache.org>; fabrice.pollet@etrs.fr<ma...@etrs.fr>
Subject: Re: Shibboleth and CloudStack
I tried your solution to save the IdP metadata in file /etc/cloudstack/management/idp-metadata.xml and I found my IdP in the selection proposed by CloudStack. In any case it shows me the possibility of adding other IdP and that is very good.
However, I come back to the same situation. My Cloud refers to the native authentication of my IdP instead of the SSO-CAS.
I specify that my IdP has been working since 2015 with the Federation RENATER and that its external services are well redirected to our SSO-CAS.
Maybe a REMOTE_USER environment variable problem between the SP and the IdP?
Le 27/04/2017 09:10, Fabrice Pollet a écrit :
Hello,
The IdP metadata can also be read at this public URL https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.
The SP metadata is not public at the moment (see attached).
For me the redirection should be done towards https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword.
My IdP server has the SP metadata (the "backingFile" is filled automatically).
I will try your workaround.
I would like to inform you and thank you in advance.
Regards,
Le 26/04/2017 17:29, Rohit Yadav a écrit :
Hi Fabrice,
I could not open the URLs (they are not public) so cannot verify the XML metadata.
The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect binding only.
If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be one of the allowed SSO http-redirect based endpoints.
You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata") added/enabled; you can download and save the IdP metadata (make any URL modification that you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without the quotes). Then, restart the mgmt server(s), it will read the metadata from this file location instead of the URL.
The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation it will retrieve and list all the available SSO site, for example search for CAFe saml federation).
Regards.
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 26 April 2017 17:31:46
To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
Subject: Shibboleth and CloudStack
Hello,
I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
as a service provider (SP) to our own identity provider Shibboleth 2.4.4
(IdP - Authentication Service and Authorization based on XML).
I have completed the following CloudStack SAML2 settings:
saml2.append.idpdomain = false
saml2.default.idpid = néant
saml2.enabled = true
saml2.idp.metadata.url =
http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
<http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
saml2.sigalg = SHA256
saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
saml2.sp.slo.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
saml2.sp.sso.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
saml2.user.attribute = uid
But the URL SSO-SAML2
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
returns me to the native authentication URL of our IdP
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
instead of the SSO-CAS delegation URL
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
The meta data of my SP are listed in my IdP (from the configuration file
relying-party.xml):
<!-- Metadonnées de ETRS CloudStack -->
<metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
</metadata:MetadataProvider>
Thank you for your help.
--
IEF MINDEF POLLET Fabrice
TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
COMSIC BP18 35998 RENNES 9 France
821 354 34 82 / 02 99 84 34 82
fabrice.pollet@etrs.fr<ma...@etrs.fr> (Internet)
fabrice-c.pollet@intradef.gouv.fr<ma...@intradef.gouv.fr> (Intradef)
rohit.yadav@shapeblue.com<ma...@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: Shibboleth and CloudStack
Posted by Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>.
Hello,
Thank you very much for your answer.
Maybe I misunderstood because in my current configuration, CloudStack
refers to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
without any modification and that corresponds to the native
authentication of my IdP.
I wanted CloudStack to return to
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser which
corresponds to my SSO-CAS.
So I followed your hack but by modifying in
/etc/cloudstack/management/idp-metadata.xml
https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO by
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
This time CloudStack redirects well towards my SSO-CAS it is a progress.
Unfortunately, authentication does not succeed.
Here are the logs of the IdP at the time of the connection:
11:09:55.290 - INFO [Shibboleth-Access:73] -
20170502T090955Z|172.16.96.7|idp.etrs.terre.defense.gouv.fr:443|/profile/SAML2/Redirect/SSO|
11:09:55.378 - DEBUG [PROTOCOL_MESSAGE:74] -
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response
Destination="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"
ID="_3b1e03d6935882d3eb5d3f9242fb1426"
InResponseTo="ni2j9u3i4d749ask9434jsgon0i9g7u2"
IssueInstant="2017-05-02T09:09:55.320Z" Version="2.0"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth</saml2:Issuer>
<saml2p:Status>
<saml2p:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</saml2p:Status>
<saml2:EncryptedAssertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<xenc:EncryptedData Id="_61daeafb4f216c1e291b2130c8b56a35"
Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey
Id="_bae1f2d4c0b08c4fa70aa7169117c880"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
</xenc:EncryptionMethod>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0
YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv
dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni
W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q
DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE
LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8
g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM
NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T
kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2
60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22
nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw
14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL
BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN
7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI
1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7
NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY
JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3
smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd
UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb
y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0
HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB
2HWwtuca</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
<xenc:CipherData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>BwCwEsRgA3OFiHNpd3bfHAo5Q3zt6YlqbKlg9HRpL6U2ID2Hm7KI9FojAPS5JpSh14mreSNylN2myr9jUOJ+OpeCfRdjtSNuck3O/k42g/Eu5nNmzn9cFOSbFqSQXvsdYVzsbMeGID1J9cq5FfVeu6RcebZr7Ebo5tOTdJqmKi2BScB/fz8Yy/2p6xh/JWYhsVCeSwvHuHKrDYCFf5eg0XcoP/tgrA65U7P7utrKrjMgSq5Dn5XkaXc9L9+wov9VnpdKrRU2TENFdZIW5RO1PKc5nwP3/ivEkuYs2ax+lvvkYpNqEiAQyQmt1T1VvctyLC0MplMDX8YEMRIfhNAyJskYbp5rP1ZHGhfu76cVTzdt4AouCNvxRYPZ5uhy47jeEy0ZewEz65ImqGgKNoZ4FwH5UwTTHGZak5MJ3LmTd9bfwfz7sUK3TGsISdbFCVxkthQvGBmOHNHb8BbKaNUV8Px8DH0IV1jvCiXUBlzwFpnRjG06hSpmmllyu3WaQixPqZ1BjgjAOXrUdhxLrBRyXEbKeFdGxidJYcqQaBpn4H83ZNPBriQ3Ya39NJGkfkVlU8tvpif3tH1fNWJ0SBNDZWIUjyu4OKFxjiebsP2QF6miep9YscNffQdPt9k0h2siTQJCpH/DM2RMQOna/AKARUeyD39jsutvhpj3TQzplzw=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:CipherValue>KXBwY7UOS1KcHaNefUMtdK/6Jlmm78KYhs62nxNAectfTT5Sw3l289hLgeaIZ0RRsO1XqQk+ew43mMm6QaWjvcEDGij2C+TEGl2maIkhxpW71ZeeMyP6dAW78/TDJBJfLUEbTR1jb+q7hfJDKgMdyGfQ9ErEdvQjbz8vRMYiq7fdkNzqVTpXzcc7KXbpGtSQqyJYetAGFPx2wsJreeHsQPvIJrI42ER8LOLyv/FnXi+w4YXrzL14e0Qhmyry07Z8B6gC3DA+C8pmDs9xn99nEfAC6xZctDeIzC0+KpGav9NfACfvqs+X2DleZGckzsSomDxssiv4ArAbTSV/dRlbBUWfIGBgwALVhrBDyuCkBXrYNYqm7QF6bKSmAOlKVYC+lqFdI8CLHH7QiEO2S1UHYNRSIjUPXtef1CXGWM2jhmPYc51VBxsrcoY0ei0/nx9WVLcN5OHxnb8dz5Lm5yJJRa16k+7/rYDi8KvGTQj6jTEkQFjoxr7VeDHHAEdt5D8/Xm0PuvAXGTEvOntlaLbXkMqFxBe9usAkFqf6CRm3Qin2O7dUuipWJVZE1f7gnZyGCV0woVgnSQ2vo5quz5ABveXzlsuypMkD/bwavgLYNQR9c4eIJDqcUlPC2zm5XM18mgdxxQpp90E3Kb29j1OGfDh6F35x2rYg3k1/jJeMlDlbANprwyw1eM+qGijDcdYNoJEMRF9Utpt1ePDSOhBBPyPiTg7lgBo0m/gBnHR26TTTDGMruCm7SSNrYJIf1KR6HFalEaUZn7kpSBINkyoCOOyW78L8pqy0+m1ZcCfsYBzHsSd8kXyavYESCGIB58oIzPFB7VK1SiKrWvZCRkXw0AZllfy3cntpGopCBopjivUxycsNHPTIp0sZDpkpRC9it3vGcJDIueuPoco1cdoM05gTLg2rNU7StPukDAwKZSRJ2RY0kNcnoeNIoQLc5IAM4PuCFkFhOQYVAI+dmIxc5F74uDctiONoNX6zVyp3OSZHiNoN/WrSkA7OsefciO+DaU1XLc87CSqvR8eOG41VjSlxpzkHBjUOiOtz52BKlFtuDLlKFX/5W6XQYNHp69PhYjuXd6vryvNWSPVgoVDJ5R10s+W2JvnQXlgD0MVlgJQs905+yi1fugYYYuA2P0NIEu3/Ky4U4CLxmGM3NIAkTWpjpFhHxv8il3x4TLPs2BB49gV1FOF3E5oXYg37bY1k0aeJA/DDxm2QXLP31Q4jdOAwdL5o6gIbeHV2g4WEUeMHg3zMfuL3jcJi/JA7A6MJEDyYCC32Z42DfUYgocmIwlOTs6y2ujxKqAWfKYC9n6bu5Wxj2zU8dZlmA7Os1UYZZbz9ZaRFMp3aN31/x1dasSP2yCoLpcjgiWsQDTBOn596V9OXmK14Z6K/+Ba51dfT3UWc4vTSb603AB0yNV4Y4vclSFxM47qPb2kU2qtgZyEOVKDy6OekNVW+az8+IitTH/f2Fk+HgM4Ro6MrCLkjbwvriL3NZmIcTm3eV3cGDf752fmDI/wYXc8tMXMcNQQo+S8Gf76rLy9TffWX4DvIPQkG4o278c1RRwl58+O1arAcsAvhMNGiwzHDVhTCrzVWebifphXBzOjDN3cNm4I0HC/nmiuWprQy7IAkNatmQIRa5AevmmFYNd5rSvptyxVPBLcCCWxXcgB8nAosQp2nsTsE01UTfptvEPDPwc3BPbc8S4I2o5hhE5LCDquDmi3o5VbBmEGoOlt8pcpvtF99ogvSYo9nXPjt8XMwxWyfR52ch4XbGqLXrSiQejGBwhMeIj02wdiEZU3jI7VyCvidZIbAfSwIFb7M0zke/zNK0rYLMqiRM/T6IeBCBd+a+F6afyokHEDO7jQsCAsQ+AtQwfAgCeoZO9X7Tn1gDKBBLMoIhAcXJaVvwIdd52DliYffnK906NaT64M+KBKGLESDyJJJ2mJQd/E0mosvNUHOJ13bVcR5qPFT2vp0hnodqi4q8wEdv7jGlYt8qOpVgmNgMT9hBtuS3dDoQ0wRKao2XpXIAUjW/SbCEG4FwzlTZR6a9oMd3WoU3YQr5+nsGM6ryzW3vZzt3zkQqCiuwgd86MhVJ+N1HGOQr7ZUWUsd42BXXpWEfpDFWMtke4apztJwrYS9YnOpH6dOkCgu5uKelChsSMaov+Undj9ioejbd7pta9J2TYsO14cq6Hv+G++TjNfP5O4XcOU804xIRCRZwC/jIrbkJMQ9XKYPwjsrhwBo1eC3eXeUCFvmr4yOfVoEAKWp9Go59wIEC8fPFdU6UUNSUYDchZa9l7tS+N7iZu4fcVmye6m8uKqsBQww8Fbk1kS06K5/QXD1T14H5bzs6eR+QHEsRoqDxR1+WNYjZm+c1qTd5eu5f1N+tWkmXmn0ko34QUUOjwR7JRPum6WTizh57S/aCYxNjx2qPk2QYXIP1tNXGkOTc7qq/u3fc+KGN8wEsLwfbd2j0n1fAsWbxv6q/RBdgIzl142W+m4EEoHKrOhctI3VOi+xoEcoCF/AQuTsBm3617qfZcWRqFR0t0RVivCo9jutqXmkTdkIWbLW+elocN/lYNXRgOO+VtK8E39NQ2wbwYh2vCoqrNB61+MAketA/2UBblTBKnPe0ipYRV0isSQXoxVlRLfAAfqXES9DyRsCmu9vlnYxT0cyeHlgT8czCWypSRwxSX9V3tWxQVuXaktxIE5wU9VGOQzieP0z1EA5Plr5e2FbdtsS87eEC5yvYVLccEU4ni44HCGFqPUNHnMJtjGtqoSq56SBeBEy8WQVUB3PSckRnZE9F5/BYyACiSdw3E1EIB0algS/LuotpijriG2JODouCnFleVcraMdp2VweqDH3pxjRQbOdboyj7n2YuYR+RrDspwnjczmiiiL9+708PwZnGie+etvYTDFoKIHURQVLxid9mS87JBcpfzIXKPxSS89HdTk2jvFXR4VmUVYA0nJ4VJzyCWnArSZJpfvhyhuydFXAOhhE3tDqIJ120kXarGnaF1Yp2ZBZuX4UsV/jR1R6faqYTc7ynAzEnQ4zGj9d20O/4exiK9DRMGBaRYP4R6DRRDyKqC2Cqt2N2O4fcxYOfKeMNTmwHDBAU0tBlsZDCSHl/3Hr5eHdUXEH8D1AaF9rWvq3SI/aV0cSoyk7eIZ2AGzRs9lljHLoa6U65ichrz//1CueBDKc1pcomDTfAt1uSmeBe/cCNjhdpaB2dokgRUxNXGPENAtSYpoZrfBp/jjxUy83rdDVc5aW2qTnM9UQi3XJFv02jDIlTmIVI3+cDZQTHieExXCBgsAXMCcncEXY8Q2bDd1IUkDlTzUWf8lbr6YbDzmxYP2SFIXSjzAWRKIHKRGnLuETUw6FS9fpc4101VdkGVicv09RQsg3n1SHHmvmEH0HxxwZD4OgmSNKDmsfBLGaANEA0Ke+tDzIjQO2QjpLS9p7PsarE126WPvNHa1mNss0G22SI1s60xXYbcjFBXktT99m6ofIS36e4mLwH7F9NFWuKNqxofjoVtvcKcru3OeaChm+jl3ZcMEJPbQf8xBAvYWwGc3QJSpGw1NSbIO5sOeT/CjMjKux02nvFg0nBceRbTZ05cPjSErS2HwleXXEsicXgp9bcFf4oRGWNCVIvkItkUNijg/Rl9Y7xNv+ZVUCkN3DyOmg4GhzNnIFGDAPpqDXzx7uyLApSiWJe39VDq76muNOw0UQ7r6p7YUv7pGxJ7fjan8h97uBtdkZLHv4nOcZUFesMykAmy6cd1vIe41rujylDs+dTkYWsoIuLV71zqMGhufLyew7nSxX5kK+9wkPzxvF6o7HHXKOGr5oGVxV5/S6wmbZ4lGoUeRrYaYPIEnkhKDlikug6gXngK1Xrr7qd4pRLW2p2LRaYYk5wdlI3DucQuDbu1u6393Rv7AL0ZGVcQm2qWOMUiLT2V8VK4iy6lenFCX4zck623fOxs7y1EsyVyV0DIVRWXQODN9JHzVXQfBOrO7zY/91W8PwAYOy0hbw7uT/ZzKTMzGsEZN6ftGct5K/GiwoRyA/RV9edo1ghsNjjyuMp3IvGitp+IKPIZ1D+I9uZVygclePhSlxPZ4ceasZEExxyPNCVyvH1GJ3gMKW8WX2nuIU1ODESUcnRz40IMIFrnzgFpk//xzhoX7jk/90lBCntvb2xVaEk7+YKS2791ePmt+aydoaeYBiuR8lj8kpm9gTBQPtIFG6igBIHfP6Qh/hrg23ZIQ15CMBxD7ZlJCpxPzD+g9/ZJYj2iaiONOecN2F+pI07cxmWYbl3z6FhBysQAcF5KU10GjCjdoVyGBnvLAWlA8/PIbcTFvFAMNq/r8I2RXRRvZK1f+WYAzuvYkQ6FvNxTvyBZ5W3ywg0UTOIXhJYSxj3fhmT7S57PWgsLQQc2GCgspwsacQFtcD9FJNydvCyPi5eBt+OHZ8gjw+MJs8pHyK6Rs/Hwr62TPnwwNizTTe+dWrWwSdlYNFRnG5MhCVw4dfKo5rzCtABN3H7qpUGt94/DeiGKPm5dVmZUYZk3wv4wQfxsn5VlKeZxeowwql3KgYdyyHxYVWZSmFi87roxYAdFz+UAZtxnWN8YejkwQKYAcbdCZhLllzRJX/bqtCgtfCgl+coeP7OSR6eqP+YPlE5RoXrKEAz544jyLRUcbw6iiIeLTozHiTwIubRji0bxJybFr48ePKsDyIW2xpY7YjpRXVc2xOOzJE+ZXbymD/8LSdR42c0nNBW+sIgGP0raVpLATxr35bj9B+vh37oTnVEN4JyYgrVvhjlhlErnaLFIZ0G2U73tjiJD/361q62PPBC4jWeDHNK5VnNe4pPIczsYEwwQTh2EtAtpn0CCKn179HRGl5mlj9LhX3JzaZPGEmDPzS0JfiU15YxlAlgrG35x5mahZcc/oHjZyZc7XVqwlPk0GCdAGhfrnRwcedDwVsGGvNg49ciqdCjPREKknXMqFO+KAq+w2kePK+OMi3+rKzgWhurgI/hvpb+ucwhF5KpraIfJdzoTiwWYnxSGww2EJRXq/0ozIyQB9DZmOCD5tcHnKFjCjudgtiIbdBLmzxeNwG3SgDqPkkn31KK9jobWO5PGjCPUc6AvUD4GSYhw9En4xkRbsbbRztGCrXfpa0NpMysbo71YruK1gc9dccnwdSxTDZZEoxH8FqR6hUt5PAAxLi30UX5vqq9gXObzmlExIgeopyU2XkMIaa/HtAKPpCrZpeFQcbDC+bfos1vYUnGfVennTaFch47rWARdgLI1dGqq88lrJhfzKhS+ZWKHMDbdKs5OgNmvIt5kTWpbeie4qPW2volholu5wrmBz9Tpuhx7gwg/Zp3PeLCoPkvXCRAqQQKtZsnP+xKVW9+cugIN4GKLf60DbK897RRJcTP14nRo+tgYfdR2gKgZaiPNGXjz7wFUK7ApxSPEF//LBoLOOwSURVk4ckpPbam5M5KZydcAMRTxHbNUXlTPpcTCd/XkU0A/hsqVMvYBru2dcS0I9CQ4tfb8I2OTIZ2webSvgw0UjZmf+LHVRWiIhY+hMJ5aVpoLa3sVm22j9Yq+ZYIm+QbrRjJFBejzjeMgC8vJiL6hBgeEQDmInnpnYmR2AW6ZTjfNyyGTwwSCN9IqvJ5frJ9GAFv9PDnY78/tZuymXzzVaMxQPSqYsw+EXPTbn3onlJCoOUClG41s/kdwqebFguxUSm6MKZiEqirmY8VCalLF/W++jtQZbIeL8atplGe8A4R8dxIE25ArF3XXNykuGZQoJdlSZC/ZgNv6usBFUzZEuyB/luTkMW0V9dGO2otxR3xSYAR5d+mAzZsllaH/fOPD/904LijaO1+K8REwr3uUNe8hDZaErCTbnL09feZISe6+NykTw5runFqbiOlgGP6qvjc/qFLJy65LiQMj1+fWaz87UkshQH4nqOOROLFRP7HbeJI9UcXXoRQ2e/l2iDC5gDaM7xmmA7HE91vLD4XCT6W5obbSC5t9COUSU88UubAzXX+DjFtRL/e0E94/nfpKiFDsRlWJJwKIFybBqezGksdmU21VEh/Z7vzNRvlmAAsz6vepof4cNL4PkHOhn8BSnFI6wDZahPj9WzIZ7ePeUkz5NpTdYfqX6VcHzANAgiygeLx8EaT9dCaOPj3PEGU/QkCcFKFcY1l8LGGUUW8Rudje0MRarcRh+ms51nwuoCAB5Gr+73GYb+2Ir3DYQme3ym0zGfsqTl8gR707/lvdxgVP3ShqSwvD6tr0rgd1r5pG8BESQbak9bFdq6cNZpTLVQ3/AsOd7FBdlWlPCE6I9eU70NNQy3iKxJljVb//5xrcjEDa9ulQc=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</saml2:EncryptedAssertion>
</saml2p:Response>
11:09:55.379 - INFO [Shibboleth-Audit:1028] -
20170502T090955Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|ni2j9u3i4d749ask9434jsgon0i9g7u2|cloud.etrs.terre.defense.gouv.fr|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_3b1e03d6935882d3eb5d3f9242fb1426|fabrice.pollet|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,email,transientId,|_9d5c99cfc524cd833e5e19406c95538e||
Here are the CloudStack logs:
2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet]
(catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===START===
172.16.96.7 -- GET
command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json
2017-05-02 10:10:10,732 DEBUG [c.c.a.ApiServlet]
(catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Session cookie is
marked secure!
2017-05-02 10:10:10,735 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd]
(catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) Sending SAMLRequest
id=mdp1ikdn2elvck5uilfbs266ahop200v
2017-05-02 10:10:10,903 DEBUG [c.c.a.ApiServlet]
(catalina-exec-20:ctx-52243a80) (logid:f3e20c3e) ===END=== 172.16.96.7
-- GET
command=samlSso&idpid=https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth&response=json
Here is the error in the browser:
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso :
<loginresponse
cloud-stack-version="4.9.2.0"><errorcode>531</errorcode><errortext>Received
SAML response for a SSO request that we may not have made or has
expired, please try logging in again</errortext></loginresponse>
Thank you again for your time.
Le 28/04/2017 11:23, Rohit Yadav a écrit :
>
> Hi Fabrice,
>
>
> I looked at the IdP XML, with the SAML2 plugin enabled/configured in
> CloudStack when users click on login they will be redirected
> to https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO (with
> a saml token). After this, I'm not sure how your setup/IdP should
> behave on handling the redirection or use of the REMOTE_USER
> environment variable.
>
>
> A sort of a hack you can try is to replace the SSO URL in your xml
> file (saved in /etc/cloudstack/management/)
> to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword and
> see if that works for you.
>
>
> Regards.
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> @shapeblue
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
> *Sent:* 27 April 2017 14:30:53
> *To:* Rohit Yadav; users@cloudstack.apache.org; fabrice.pollet@etrs.fr
> *Subject:* Re: Shibboleth and CloudStack
>
> I tried your solution to save the IdP metadata in file
> /etc/cloudstack/management/idp-metadata.xml and I found my IdP in the
> selection proposed by CloudStack. In any case it shows me the
> possibility of adding other IdP and that is very good.
>
> However, I come back to the same situation. My Cloud refers to the
> native authentication of my IdP instead of the SSO-CAS.
>
> I specify that my IdP has been working since 2015 with the Federation
> RENATER and that its external services are well redirected to our SSO-CAS.
>
> Maybe a REMOTE_USER environment variable problem between the SP and
> the IdP?
>
>
> Le 27/04/2017 09:10, Fabrice Pollet a écrit :
>> Hello,
>>
>> The IdP metadata can also be read at this public URL
>> https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.
>>
>> The SP metadata is not public at the moment (see attached).
>>
>> For me the redirection should be done towards
>> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS)
>> instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword.
>>
>> My IdP server has the SP metadata (the "backingFile" is filled
>> automatically).
>>
>> I will try your workaround.
>>
>> I would like to inform you and thank you in advance.
>>
>> Regards,
>>
>> Le 26/04/2017 17:29, Rohit Yadav a écrit :
>>>
>>> Hi Fabrice,
>>>
>>>
>>> I could not open the URLs (they are not public) so cannot verify the
>>> XML metadata.
>>>
>>>
>>> The IdP
>>> metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will
>>> include list of supported IDP server endpoints that support
>>> http-redirect (binding is set
>>> to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based
>>> single-sign on. The current SAML2 plugin only supports and works
>>> with the Http-Redirect binding only.
>>>
>>>
>>> If you can share the xml with me, I can verify the SSO URL. Likely,
>>> the
>>> URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must
>>> be one of the allowed SSO http-redirect based endpoints.
>>>
>>>
>>> You may try this workaround -- assuming your IdP server has the SP
>>> metadata (i.e. the xml that you get
>>> from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata")
>>> added/enabled; you can download and save the IdP metadata (make any
>>> URL modification that you want) to be file such as
>>> 'idp-metadata.xml' in /etc/cloudstack/management on the management
>>> server(s) and then in the global setting set the
>>> 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without
>>> the quotes). Then, restart the mgmt server(s), it will read the
>>> metadata from this file location instead of the URL.
>>>
>>>
>>> The SAML2 plugin also allows for multiple idps defined (for example,
>>> in case of a federation it will retrieve and list all the available
>>> SSO site, for example search for CAFe saml federation).
>>>
>>>
>>> Regards.
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
>>> *Sent:* 26 April 2017 17:31:46
>>> *To:* users@cloudstack.apache.org
>>> *Subject:* Shibboleth and CloudStack
>>>
>>> Hello,
>>>
>>> I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
>>> as a service provider (SP) to our own identity provider Shibboleth 2.4.4
>>> (IdP - Authentication Service and Authorization based on XML).
>>>
>>> I have completed the following CloudStack SAML2 settings:
>>>
>>> saml2.append.idpdomain = false
>>>
>>> saml2.default.idpid = néant
>>>
>>> saml2.enabled = true
>>>
>>> saml2.idp.metadata.url =
>>> http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
>>> <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
>>>
>>> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
>>> <https://cloud.etrs.terre.defense.gouv.fr/client>
>>>
>>> saml2.sigalg = SHA256
>>>
>>> saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
>>>
>>> saml2.sp.slo.url =
>>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
>>> <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
>>>
>>> saml2.sp.sso.url =
>>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
>>>
>>> saml2.user.attribute = uid
>>>
>>>
>>> But the URL SSO-SAML2
>>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
>>> returns me to the native authentication URL of our IdP
>>> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
>>> instead of the SSO-CAS delegation URL
>>> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
>>>
>>>
>>> The meta data of my SP are listed in my IdP (from the configuration file
>>> relying-party.xml):
>>>
>>> <!-- Metadonnées de ETRS CloudStack -->
>>>
>>> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
>>> xsi:type="metadata:FileBackedHTTPMetadataProvider"
>>>
>>> metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
>>>
>>> backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
>>>
>>> </metadata:MetadataProvider>
>>>
>>> Thank you for your help.
>>>
>>>
>>> --
>>> IEF MINDEF POLLET Fabrice
>>>
>>> TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
>>> COMSIC BP18 35998 RENNES 9 France
>>>
>>> 821 354 34 82 / 02 99 84 34 82
>>> fabrice.pollet@etrs.fr (Internet)
>>> fabrice-c.pollet@intradef.gouv.fr (Intradef)
>>>
>>> rohit.yadav@shapeblue.com
>>> www.shapeblue.com
>>> @shapeblue
>>>
Re: Shibboleth and CloudStack
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Fabrice,
I looked at the IdP XML, with the SAML2 plugin enabled/configured in CloudStack when users click on login they will be redirected to https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO (with a saml token). After this, I'm not sure how your setup/IdP should behave on handling the redirection or use of the REMOTE_USER environment variable.
A sort of a hack you can try is to replace the SSO URL in your xml file (saved in /etc/cloudstack/management/) to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword and see if that works for you.
Regards.
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 27 April 2017 14:30:53
To: Rohit Yadav; users@cloudstack.apache.org; fabrice.pollet@etrs.fr
Subject: Re: Shibboleth and CloudStack
I tried your solution to save the IdP metadata in file /etc/cloudstack/management/idp-metadata.xml and I found my IdP in the selection proposed by CloudStack. In any case it shows me the possibility of adding other IdP and that is very good.
However, I come back to the same situation. My Cloud refers to the native authentication of my IdP instead of the SSO-CAS.
I specify that my IdP has been working since 2015 with the Federation RENATER and that its external services are well redirected to our SSO-CAS.
Maybe a REMOTE_USER environment variable problem between the SP and the IdP?
Le 27/04/2017 09:10, Fabrice Pollet a écrit :
Hello,
The IdP metadata can also be read at this public URL https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.
The SP metadata is not public at the moment (see attached).
For me the redirection should be done towards https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword.
My IdP server has the SP metadata (the "backingFile" is filled automatically).
I will try your workaround.
I would like to inform you and thank you in advance.
Regards,
Le 26/04/2017 17:29, Rohit Yadav a écrit :
Hi Fabrice,
I could not open the URLs (they are not public) so cannot verify the XML metadata.
The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect binding only.
If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be one of the allowed SSO http-redirect based endpoints.
You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata") added/enabled; you can download and save the IdP metadata (make any URL modification that you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without the quotes). Then, restart the mgmt server(s), it will read the metadata from this file location instead of the URL.
The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation it will retrieve and list all the available SSO site, for example search for CAFe saml federation).
Regards.
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 26 April 2017 17:31:46
To: users@cloudstack.apache.org<ma...@cloudstack.apache.org>
Subject: Shibboleth and CloudStack
Hello,
I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
as a service provider (SP) to our own identity provider Shibboleth 2.4.4
(IdP - Authentication Service and Authorization based on XML).
I have completed the following CloudStack SAML2 settings:
saml2.append.idpdomain = false
saml2.default.idpid = néant
saml2.enabled = true
saml2.idp.metadata.url =
http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
<http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
saml2.sigalg = SHA256
saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
saml2.sp.slo.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
saml2.sp.sso.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
saml2.user.attribute = uid
But the URL SSO-SAML2
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
returns me to the native authentication URL of our IdP
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
instead of the SSO-CAS delegation URL
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
The meta data of my SP are listed in my IdP (from the configuration file
relying-party.xml):
<!-- Metadonnées de ETRS CloudStack -->
<metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
</metadata:MetadataProvider>
Thank you for your help.
--
IEF MINDEF POLLET Fabrice
TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
COMSIC BP18 35998 RENNES 9 France
821 354 34 82 / 02 99 84 34 82
fabrice.pollet@etrs.fr<ma...@etrs.fr> (Internet)
fabrice-c.pollet@intradef.gouv.fr<ma...@intradef.gouv.fr> (Intradef)
rohit.yadav@shapeblue.com<ma...@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue
Re: Shibboleth and CloudStack
Posted by Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>.
I tried your solution to save the IdP metadata in file
/etc/cloudstack/management/idp-metadata.xml and I found my IdP in the
selection proposed by CloudStack. In any case it shows me the
possibility of adding other IdP and that is very good.
However, I come back to the same situation. My Cloud refers to the
native authentication of my IdP instead of the SSO-CAS.
I specify that my IdP has been working since 2015 with the Federation
RENATER and that its external services are well redirected to our SSO-CAS.
Maybe a REMOTE_USER environment variable problem between the SP and the IdP?
Le 27/04/2017 09:10, Fabrice Pollet a crit :
> Hello,
>
> The IdP metadata can also be read at this public URL
> https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.
>
> The SP metadata is not public at the moment (see attached).
>
> For me the redirection should be done towards
> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS)
> instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword.
>
> My IdP server has the SP metadata (the "backingFile" is filled
> automatically).
>
> I will try your workaround.
>
> I would like to inform you and thank you in advance.
>
> Regards,
>
> Le 26/04/2017 17:29, Rohit Yadav a crit :
>>
>> Hi Fabrice,
>>
>>
>> I could not open the URLs (they are not public) so cannot verify the
>> XML metadata.
>>
>>
>> The IdP
>> metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will
>> include list of supported IDP server endpoints that support
>> http-redirect (binding is set
>> to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based
>> single-sign on. The current SAML2 plugin only supports and works with
>> the Http-Redirect binding only.
>>
>>
>> If you can share the xml with me, I can verify the SSO URL. Likely,
>> the
>> URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be
>> one of the allowed SSO http-redirect based endpoints.
>>
>>
>> You may try this workaround -- assuming your IdP server has the SP
>> metadata (i.e. the xml that you get
>> from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata")
>> added/enabled; you can download and save the IdP metadata (make any
>> URL modification that you want) to be file such as 'idp-metadata.xml'
>> in /etc/cloudstack/management on the management server(s) and then in
>> the global setting set the 'saml2.idp.metadata.url' to the value
>> 'idp-metadata.xml' (without the quotes). Then, restart the mgmt
>> server(s), it will read the metadata from this file location instead
>> of the URL.
>>
>>
>> The SAML2 plugin also allows for multiple idps defined (for example,
>> in case of a federation it will retrieve and list all the available
>> SSO site, for example search for CAFe saml federation).
>>
>>
>> Regards.
>>
>> ------------------------------------------------------------------------
>> *From:* Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
>> *Sent:* 26 April 2017 17:31:46
>> *To:* users@cloudstack.apache.org
>> *Subject:* Shibboleth and CloudStack
>>
>> Hello,
>>
>> I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
>> as a service provider (SP) to our own identity provider Shibboleth 2.4.4
>> (IdP - Authentication Service and Authorization based on XML).
>>
>> I have completed the following CloudStack SAML2 settings:
>>
>> saml2.append.idpdomain = false
>>
>> saml2.default.idpid = nant
>>
>> saml2.enabled = true
>>
>> saml2.idp.metadata.url =
>> http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
>> <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
>>
>> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
>>
>> saml2.sigalg = SHA256
>>
>> saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
>>
>> saml2.sp.slo.url =
>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
>> <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
>>
>> saml2.sp.sso.url =
>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
>>
>> saml2.user.attribute = uid
>>
>>
>> But the URL SSO-SAML2
>> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
>> returns me to the native authentication URL of our IdP
>> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
>> instead of the SSO-CAS delegation URL
>> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
>>
>>
>> The meta data of my SP are listed in my IdP (from the configuration file
>> relying-party.xml):
>>
>> <!-- Metadonnes de ETRS CloudStack -->
>>
>> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
>> xsi:type="metadata:FileBackedHTTPMetadataProvider"
>>
>> metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
>>
>> backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
>>
>> </metadata:MetadataProvider>
>>
>> Thank you for your help.
>>
>>
>> --
>> IEF MINDEF POLLET Fabrice
>>
>> TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
>> COMSIC BP18 35998 RENNES 9 France
>>
>> 821 354 34 82 / 02 99 84 34 82
>> fabrice.pollet@etrs.fr (Internet)
>> fabrice-c.pollet@intradef.gouv.fr (Intradef)
>>
>> rohit.yadav@shapeblue.com
>> www.shapeblue.com
>> @shapeblue
>>
Re: Shibboleth and CloudStack
Posted by Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>.
Hello,
The IdP metadata can also be read at this public URL
https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.
The SP metadata is not public at the moment (see attached).
For me the redirection should be done towards
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS)
instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword.
My IdP server has the SP metadata (the "backingFile" is filled
automatically).
I will try your workaround.
I would like to inform you and thank you in advance.
Regards,
Le 26/04/2017 17:29, Rohit Yadav a crit :
>
> Hi Fabrice,
>
>
> I could not open the URLs (they are not public) so cannot verify the
> XML metadata.
>
>
> The IdP
> metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include
> list of supported IDP server endpoints that support http-redirect
> (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect)
> based single-sign on. The current SAML2 plugin only supports and works
> with the Http-Redirect binding only.
>
>
> If you can share the xml with me, I can verify the SSO URL. Likely,
> the
> URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must
> be one of the allowed SSO http-redirect based endpoints.
>
>
> You may try this workaround -- assuming your IdP server has the SP
> metadata (i.e. the xml that you get
> from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata")
> added/enabled; you can download and save the IdP metadata (make any
> URL modification that you want) to be file such as 'idp-metadata.xml'
> in /etc/cloudstack/management on the management server(s) and then in
> the global setting set the 'saml2.idp.metadata.url' to the value
> 'idp-metadata.xml' (without the quotes). Then, restart the mgmt
> server(s), it will read the metadata from this file location instead
> of the URL.
>
>
> The SAML2 plugin also allows for multiple idps defined (for example,
> in case of a federation it will retrieve and list all the available
> SSO site, for example search for CAFe saml federation).
>
>
> Regards.
>
> ------------------------------------------------------------------------
> *From:* Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
> *Sent:* 26 April 2017 17:31:46
> *To:* users@cloudstack.apache.org
> *Subject:* Shibboleth and CloudStack
>
> Hello,
>
> I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
> as a service provider (SP) to our own identity provider Shibboleth 2.4.4
> (IdP - Authentication Service and Authorization based on XML).
>
> I have completed the following CloudStack SAML2 settings:
>
> saml2.append.idpdomain = false
>
> saml2.default.idpid = nant
>
> saml2.enabled = true
>
> saml2.idp.metadata.url =
> http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
> <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
>
> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
>
> saml2.sigalg = SHA256
>
> saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
>
> saml2.sp.slo.url =
> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
> <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
>
> saml2.sp.sso.url =
> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
>
> saml2.user.attribute = uid
>
>
> But the URL SSO-SAML2
> https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
> returns me to the native authentication URL of our IdP
> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
> instead of the SSO-CAS delegation URL
> https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
>
>
> The meta data of my SP are listed in my IdP (from the configuration file
> relying-party.xml):
>
> <!-- Metadonnes de ETRS CloudStack -->
>
> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
> xsi:type="metadata:FileBackedHTTPMetadataProvider"
>
> metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
>
> backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
>
> </metadata:MetadataProvider>
>
> Thank you for your help.
>
>
> --
> IEF MINDEF POLLET Fabrice
>
> TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
> COMSIC BP18 35998 RENNES 9 France
>
> 821 354 34 82 / 02 99 84 34 82
> fabrice.pollet@etrs.fr (Internet)
> fabrice-c.pollet@intradef.gouv.fr (Intradef)
>
> rohit.yadav@shapeblue.com
> www.shapeblue.com
> @shapeblue
>
Re: Shibboleth and CloudStack
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Fabrice,
I could not open the URLs (they are not public) so cannot verify the XML metadata.
The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect binding only.
If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be one of the allowed SSO http-redirect based endpoints.
You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata") added/enabled; you can download and save the IdP metadata (make any URL modification that you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without the quotes). Then, restart the mgmt server(s), it will read the metadata from this file location instead of the URL.
The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation it will retrieve and list all the available SSO site, for example search for CAFe saml federation).
Regards.
________________________________
From: Fabrice Pollet <fa...@etrs.terre.defense.gouv.fr>
Sent: 26 April 2017 17:31:46
To: users@cloudstack.apache.org
Subject: Shibboleth and CloudStack
Hello,
I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0
as a service provider (SP) to our own identity provider Shibboleth 2.4.4
(IdP - Authentication Service and Authorization based on XML).
I have completed the following CloudStack SAML2 settings:
saml2.append.idpdomain = false
saml2.default.idpid = néant
saml2.enabled = true
saml2.idp.metadata.url =
http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth
<http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth>
saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client
saml2.sigalg = SHA256
saml2.sp.id = cloud.etrs.terre.defense.gouv.fr
saml2.sp.slo.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo
<https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo>
saml2.sp.sso.url =
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
saml2.user.attribute = uid
But the URL SSO-SAML2
https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso
returns me to the native authentication URL of our IdP
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword
instead of the SSO-CAS delegation URL
https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser.
The meta data of my SP are listed in my IdP (from the configuration file
relying-party.xml):
<!-- Metadonnées de ETRS CloudStack -->
<metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr"
xsi:type="metadata:FileBackedHTTPMetadataProvider"
metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"
backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml">
</metadata:MetadataProvider>
Thank you for your help.
--
IEF MINDEF POLLET Fabrice
TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA
COMSIC BP18 35998 RENNES 9 France
821 354 34 82 / 02 99 84 34 82
fabrice.pollet@etrs.fr (Internet)
fabrice-c.pollet@intradef.gouv.fr (Intradef)
rohit.yadav@shapeblue.com
www.shapeblue.com
53 Chandos Place, Covent Garden, London WC2N 4HSUK
@shapeblue