Hello, The IdP metadata can also be read at this public URL https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth.
The SP metadata is not public at the moment (see attached). For me the redirection should be done towards https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword. My IdP server has the SP metadata (the "backingFile" is filled automatically). I will try your workaround. I would like to inform you and thank you in advance. Regards, Le 26/04/2017 17:29, Rohit Yadav a écrit : > > Hi Fabrice, > > > I could not open the URLs (they are not public) so cannot verify the > XML metadata. > > > The IdP > metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will > include > list of supported IDP server endpoints that support http-redirect > (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) > based single-sign on. The current SAML2 plugin only supports and works > with the Http-Redirect binding only. > > > If you can share the xml with me, I can verify the SSO URL. Likely, > the > URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must > be one of the allowed SSO http-redirect based endpoints. > > > You may try this workaround -- assuming your IdP server has the SP > metadata (i.e. the xml that you get > from > "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata";) > added/enabled; you can download and save the IdP metadata (make any > URL modification that you want) to be file such as 'idp-metadata.xml' > in /etc/cloudstack/management on the management server(s) and then in > the global setting set the 'saml2.idp.metadata.url' to the value > 'idp-metadata.xml' (without the quotes). Then, restart the mgmt > server(s), it will read the metadata from this file location instead > of the URL. > > > The SAML2 plugin also allows for multiple idps defined (for example, > in case of a federation it will retrieve and list all the available > SSO site, for example search for CAFe saml federation). > > > Regards. > > ------------------------------------------------------------------------ > *From:* Fabrice Pollet <[email protected]> > *Sent:* 26 April 2017 17:31:46 > *To:* [email protected] > *Subject:* Shibboleth and CloudStack > > Hello, > > I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0 > as a service provider (SP) to our own identity provider Shibboleth 2.4.4 > (IdP - Authentication Service and Authorization based on XML). > > I have completed the following CloudStack SAML2 settings: > > saml2.append.idpdomain = false > > saml2.default.idpid = néant > > saml2.enabled = true > > saml2.idp.metadata.url = > http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth > <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth> > > saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client > > saml2.sigalg = SHA256 > > saml2.sp.id = cloud.etrs.terre.defense.gouv.fr > > saml2.sp.slo.url = > https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo > <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo> > > saml2.sp.sso.url = > https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso > > saml2.user.attribute = uid > > > But the URL SSO-SAML2 > https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso > returns me to the native authentication URL of our IdP > https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword > instead of the SSO-CAS delegation URL > https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. > > > The meta data of my SP are listed in my IdP (from the configuration file > relying-party.xml): > > <!-- Metadonnées de ETRS CloudStack --> > > <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr" > xsi:type="metadata:FileBackedHTTPMetadataProvider" > > metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"; > > backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml"> > > </metadata:MetadataProvider> > > Thank you for your help. > > > -- > IEF MINDEF POLLET Fabrice > > TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA > COMSIC BP18 35998 RENNES 9 France > > 821 354 34 82 / 02 99 84 34 82 > [email protected] (Internet) > [email protected] (Intradef) > > [email protected] > www.shapeblue.com > @shapeblue >
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="cloud.etrs.terre.defense.gouv.fr"> <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate> MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0 YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8 g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2 60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22 nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw 14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN 7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI 1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7 NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3 smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0 HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB 2HWwtuca </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <ds:X509Data> <ds:X509Certificate> MIIErzCCApcCBgFbR6o7sTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDExBBcGFjaGVDbG91ZFN0 YWNrMB4XDTE3MDQwNjA5MDYzMFoXDTIwMDQwNzA5MDYzMFowGzEZMBcGA1UEAxMQQXBhY2hlQ2xv dWRTdGFjazCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALMN5Irps++bJ4S7SCATm3Ni W+SYl75N/TbQXPHPrSWuZDRZOVVsgf6vCN/IAYsBUUD5Lej+aAhZra8SzI0RBtloIdx6xQHZTp3q DbnvSW3pBIKb1m/KHpcvr6AFelUw82h13jYzp4QnPxragalY5g0do5UHeki+olHTgYu/TFiLAmrE LxKFMOBKaZ+W4aYeootdCL1pXsFgRx/WXY2XS2e3wXxFXxRp9T35Mtuslz8eq8X5ipRyWiA+/1Q8 g3YjFengkP5w3xgSsTjF0HiBnP7g9OCu01M1M35vNxyoEvKgIT61Fm8VDuuxT9BWhKBKN5lZ1rSM NCvsykdiSwXGo1NpKfG4iHeDUSZHsFIdwsthfK9Rs0VPCG+IcR93IYDGJOqX05tiI2WvN/T23W/T kNPTDt8mZJh8HuiWAHij6OIb3DJxK2l2czxNq2OLJX27dHKQDf0LcNg9Cm8fzBLKkpyZlypuC1o2 60SY9XdkwLSbOhRkSWazFkW641EGv9QFUBs8AkPbos9DUVKA7ciHXPSIeiLEVdjbNMiuWJUmqF22 nefs99H7CvtMaSwSPGpMkYVljPGn+6M06EbNfxdd4quVVgnXOxXDJKV8E+1qCAT1nxQNkIZdoZZw 14RmoyCngV83eUf4mPjpux1IJhKJSOBnHFKCboMNcUgONSVRrRuLAgMBAAEwDQYJKoZIhvcNAQEL BQADggIBABnJ2QT4s23RN0+v3F7H6ODuNcYMMl4JZN4VvDsAr2xBvRltMkmlcZgK5XRO47Gt1rdN 7fbm7xDsl0KblZ3PWHkBCuM0Zpw2nDx53AIkCk/lEw7sdAqAr1blgL56xTQLis43PLl7j4o+ZXFI 1Ny2eiyVRasffBQSlR4SoCN+mmXN4AygVxgR0zSlBKCV65CVX+5E8nKo1CrVzk4Pl3m6chKB+5J7 NvfvOvJAli1dsspjJd7SnyxJem4G0vC6t65Jzj+vFpBPsrj7VPa9YcrnDLOHy3Ljooad9agPkliY JOvBRKkD8eoOMvoRSUg5f6VUAzO228UBcfS4OTZvkuKNyl2uYJ9pZFTEJ8zA+ikWZBUl4Ot6LYG3 smHsAxIpm7rubLVOF0GV8dhcMcDjDK5+7lLkaFRHTjZZeanISVBWbe3zc8P8gRdFZvi3CJalubPd UQer2pUySILFJkfZx+5STf6cargpAEfnvWTvx1bRFqsh1NTOiWXJuL3QL3K9vPxhaIXgjmRFJVMb y3Tt3ifMbqssaC7odRmKZx/bLyrgC6Uni+oJDkiDtyVD1oFtmnbQd8wZ6x25W+z6i0wtcDWLYoW0 HVpfDgXKwxuSNTdO1XYA48p98z6la+HXkhEML3EFU60+cxmvtfuu7JIOjSxWQw6dktxLKGZ+KPhB 2HWwtuca </ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo"/> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"; index="1" isDefault="true"/> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso"; index="2"/></md:SPSSODescriptor> <md:Organization> <md:OrganizationName xml:lang="fr">ETRS CloudStack</md:OrganizationName> <md:OrganizationURL xml:lang="fr">https://cloud.etrs.terre.defense.gouv.fr</md:OrganizationURL> </md:Organization> <md:ContactPerson contactType="technical"> <md:GivenName>Fabrice Pollet</md:GivenName> <md:EmailAddress>[email protected]</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="administrative"> <md:GivenName>Fabrice Pollet</md:GivenName> <md:EmailAddress>[email protected]</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor>
