Hi Fabrice,
I could not open the URLs (they are not public) so cannot verify the XML metadata. The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect binding only. If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be one of the allowed SSO http-redirect based endpoints. You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata";) added/enabled; you can download and save the IdP metadata (make any URL modification that you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without the quotes). Then, restart the mgmt server(s), it will read the metadata from this file location instead of the URL. The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation it will retrieve and list all the available SSO site, for example search for CAFe saml federation). Regards. ________________________________ From: Fabrice Pollet <[email protected]> Sent: 26 April 2017 17:31:46 To: [email protected] Subject: Shibboleth and CloudStack Hello, I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0 as a service provider (SP) to our own identity provider Shibboleth 2.4.4 (IdP - Authentication Service and Authorization based on XML). I have completed the following CloudStack SAML2 settings: saml2.append.idpdomain = false saml2.default.idpid = néant saml2.enabled = true saml2.idp.metadata.url = http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client saml2.sigalg = SHA256 saml2.sp.id = cloud.etrs.terre.defense.gouv.fr saml2.sp.slo.url = https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo> saml2.sp.sso.url = https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso saml2.user.attribute = uid But the URL SSO-SAML2 https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso returns me to the native authentication URL of our IdP https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword instead of the SSO-CAS delegation URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. The meta data of my SP are listed in my IdP (from the configuration file relying-party.xml): <!-- Metadonnées de ETRS CloudStack --> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"; backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml"> </metadata:MetadataProvider> Thank you for your help. -- IEF MINDEF POLLET Fabrice TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA COMSIC BP18 35998 RENNES 9 France 821 354 34 82 / 02 99 84 34 82 [email protected] (Internet) [email protected] (Intradef) [email protected] www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
