Hi Fabrice,
I looked at the IdP XML, with the SAML2 plugin enabled/configured in CloudStack when users click on login they will be redirected to https://idp.etrs.terre.defense.gouv.fr/idp/profile/SAML2/Redirect/SSO (with a saml token). After this, I'm not sure how your setup/IdP should behave on handling the redirection or use of the REMOTE_USER environment variable. A sort of a hack you can try is to replace the SSO URL in your xml file (saved in /etc/cloudstack/management/) to https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword and see if that works for you. Regards. ________________________________ From: Fabrice Pollet <[email protected]> Sent: 27 April 2017 14:30:53 To: Rohit Yadav; [email protected]; [email protected] Subject: Re: Shibboleth and CloudStack I tried your solution to save the IdP metadata in file /etc/cloudstack/management/idp-metadata.xml and I found my IdP in the selection proposed by CloudStack. In any case it shows me the possibility of adding other IdP and that is very good. However, I come back to the same situation. My Cloud refers to the native authentication of my IdP instead of the SSO-CAS. I specify that my IdP has been working since 2015 with the Federation RENATER and that its external services are well redirected to our SSO-CAS. Maybe a REMOTE_USER environment variable problem between the SP and the IdP? Le 27/04/2017 09:10, Fabrice Pollet a écrit : Hello, The IdP metadata can also be read at this public URL https://idp.etrs.terre.defense.gouv.fr/idp/shibboleth. The SP metadata is not public at the moment (see attached). For me the redirection should be done towards https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser (SSO-CAS) instead of https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword. My IdP server has the SP metadata (the "backingFile" is filled automatically). I will try your workaround. I would like to inform you and thank you in advance. Regards, Le 26/04/2017 17:29, Rohit Yadav a écrit : Hi Fabrice, I could not open the URLs (they are not public) so cannot verify the XML metadata. The IdP metadata http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth will include list of supported IDP server endpoints that support http-redirect (binding is set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect) based single-sign on. The current SAML2 plugin only supports and works with the Http-Redirect binding only. If you can share the xml with me, I can verify the SSO URL. Likely, the URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword must be one of the allowed SSO http-redirect based endpoints. You may try this workaround -- assuming your IdP server has the SP metadata (i.e. the xml that you get from "http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata";) added/enabled; you can download and save the IdP metadata (make any URL modification that you want) to be file such as 'idp-metadata.xml' in /etc/cloudstack/management on the management server(s) and then in the global setting set the 'saml2.idp.metadata.url' to the value 'idp-metadata.xml' (without the quotes). Then, restart the mgmt server(s), it will read the metadata from this file location instead of the URL. The SAML2 plugin also allows for multiple idps defined (for example, in case of a federation it will retrieve and list all the available SSO site, for example search for CAFe saml federation). Regards. ________________________________ From: Fabrice Pollet <[email protected]><mailto:[email protected]> Sent: 26 April 2017 17:31:46 To: [email protected]<mailto:[email protected]> Subject: Shibboleth and CloudStack Hello, I'm trying to configure SAML2 SSO support to connect CloudStack 4.9.2.0 as a service provider (SP) to our own identity provider Shibboleth 2.4.4 (IdP - Authentication Service and Authorization based on XML). I have completed the following CloudStack SAML2 settings: saml2.append.idpdomain = false saml2.default.idpid = néant saml2.enabled = true saml2.idp.metadata.url = http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth <http://idp.etrs.terre.defense.gouv.fr:8080/idp/shibboleth> saml2.redirect.url = https://cloud.etrs.terre.defense.gouv.fr/client saml2.sigalg = SHA256 saml2.sp.id = cloud.etrs.terre.defense.gouv.fr saml2.sp.slo.url = https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo <https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSlo> saml2.sp.sso.url = https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso saml2.user.attribute = uid But the URL SSO-SAML2 https://cloud.etrs.terre.defense.gouv.fr/client/api?command=samlSso returns me to the native authentication URL of our IdP https://idp.etrs.terre.defense.gouv.fr/idp/Authn/UserPassword instead of the SSO-CAS delegation URL https://idp.etrs.terre.defense.gouv.fr/idp/Authn/RemoteUser. The meta data of my SP are listed in my IdP (from the configuration file relying-party.xml): <!-- Metadonnées de ETRS CloudStack --> <metadata:MetadataProvider id="cloud.etrs.terre.defense.gouv.fr" xsi:type="metadata:FileBackedHTTPMetadataProvider" metadataURL="http://cloud.etrs.terre.defense.gouv.fr:8080/client/api?command=getSPMetadata"; backingFile="/opt/shibboleth-idp/metadata/main-sps-etrs-cloudstack-metadata.xml"> </metadata:MetadataProvider> Thank you for your help. -- IEF MINDEF POLLET Fabrice TERRE/COMSIC/ETRS/DGF/BAF/ING-NEF/PFI-PEDA COMSIC BP18 35998 RENNES 9 France 821 354 34 82 / 02 99 84 34 82 [email protected]<mailto:[email protected]> (Internet) [email protected]<mailto:[email protected]> (Intradef) [email protected]<mailto:[email protected]> www.shapeblue.com<http://www.shapeblue.com> @shapeblue [email protected] www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue
