Repository: cloudstack-docs-admin
Updated Branches:
  refs/heads/master 863e1f9a6 -> 802e0d3c5


accounts: document SAML authentication

This closes #19

Signed-off-by: Rohit Yadav <bhais...@apache.org>
Signed-off-by: Sebastien Goasguen <run...@gmail.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/repo
Commit: 
http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/commit/802e0d3c
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/tree/802e0d3c
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/diff/802e0d3c

Branch: refs/heads/master
Commit: 802e0d3c53bbe1fae25e566085e932f2f06f9f3d
Parents: 863e1f9
Author: Rohit Yadav <bhais...@apache.org>
Authored: Mon Sep 8 15:02:25 2014 +0200
Committer: Sebastien Goasguen <run...@gmail.com>
Committed: Tue Sep 9 04:47:22 2014 -0400

----------------------------------------------------------------------
 source/accounts.rst | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack-docs-admin/blob/802e0d3c/source/accounts.rst
----------------------------------------------------------------------
diff --git a/source/accounts.rst b/source/accounts.rst
index 83d7329..468d07c 100644
--- a/source/accounts.rst
+++ b/source/accounts.rst
@@ -264,3 +264,44 @@ directly in cloudstack.
 
 
 .. |button to dedicate a zone, pod,cluster, or host| image:: 
_static/images/dedicate-resource-button.png
+
+Using a SAML 2.0 Identity Provider for User Authentication
+----------------------------------------------------------
+
+You can use a SAML 2.0 Identity Provider with CloudStack for user
+authentication. This will require enabling the SAML 2.0 service provider plugin
+in CloudStack. On successful authentication, CloudStack will use the persistent
+or emailAddress NameID from the SAML token to find an existing user or create
+a new user with this NameID and let the user log in to the CloudStack UI.
+
+First, enable the SAML plugin by setting ``saml2.enabled`` to ``true`` and
+restart management server. To start a SAML 2.0 Single Sign-On authentication,
+the user should call the ``samlsso`` API command which will redirect the user 
to
+IdP login page. Upon successful authentication, the IdP will redirect the user
+to CloudStack. To start a SAML 2.0 Single Log-Out, the user calls the
+``samlslo`` API command which globally logs out the user and return back to
+CloudStack UI login page. The CloudStack service provider metadata is 
accessible
+from the ``getSPMetadata`` API command.
+
+The following global configuration should be configured:
+
+-  ``saml2.enabled``: Set this to **true** to enable the SAML Plugin. Default 
is **false**.
+
+-  ``saml2.default.accountname``: Account name for creating new users. Default 
is **admin**.
+
+-  ``saml2.default.domainid``: Domain (UUID string) to use for creating new 
users. Default is **1** (root domain).
+
+-  ``saml2.redirect.url``: The CloudStack UI url the SSO should redirected to 
when successful. Default is **http://localhost:8080/client**.
+
+-  ``saml2.sp.id``: CloudStack service provider entity ID. Default is 
**org.apache.cloudstack**.
+
+-  ``saml2.sp.sso.url``: CloudStack service provider Single Sign-On URL. 
Default is **http://localhost:8080/client/api?command=samlsso**.
+
+-  ``saml2.sp.slo.url``: CloudStack service provider entity ID. Default is 
**http://localhost:8080/client/api?command=samlslo**.
+
+-  ``saml2.idp.id``: The Identity Provider entity ID string. Default is 
**https://openidp.feide.no**.
+
+-  ``saml2.idp.metadata.url``: Identity Provider Metadata XML Url. Default is 
**https://openidp.feide.no/simplesaml/saml2/idp/metadata.php**.
+
+-  ``saml2.timeout``: Timeout used for downloading and parsing IdP metadata in 
milliseconds. Default is **30000**.
+

Reply via email to