+1. Very well-written FS and email, Rohit. Those open questions are very valid, I added a little comment in your FS regarding the flow.
Thanks -min On 7/20/14 8:35 AM, "Rohit Yadav" <rohit.ya...@shapeblue.com> wrote: >Hi, > >I'm assuming no one objects the proposal and the spec, I'll move forward >with the first implementation starting next week but will be mostly >offline till 28th July. > >Regards. > >Rohit Yadav wrote: >> Hi guys, >> >> There has been a lot of interest [4] around auth related problems in >> CloudStach such as -- SSO/SLO (single sign on / log out), 2-factor >> authentication, role based network/IP/CIDR checking etc. >> >> A lot of challenge in implementing them in CloudStack is because of two >> divergent authentication mechanisms (one that is >> username/password/cookie based, other which is api/secret keys or >> hmac/signature based). >> >> This thread tries to kickstart a project in that direction which will in >> short term try to implement a SAML2 plugin and in long term have a much >> better authentication framework. >> >> Let me start by briefly explaining what SAML2 [1] is -- it's an XML >> based authentication and authorization protocol widely used to implement >> single sign on service. Having a SAML plugin in ACS will give users and >> organization a new mode of authentication who already have such an >> infrastructure in place. >> >> A SAML based SSO infrastructure consists of three entities - user-agent >> (UA), service provider (SP) and identity provider (IdP). The UA is the >> user/browser, the SP is the application that the UA is accessing (i.e. >> Apache CloudStack UI) and the IdP is the identity service and does >> authentication and authorization, management of users among other >> things. IdP could be backed by LDAP, AD etc. For the scope of this >> feature, we only need to implement SAML SP plugin in CloudStack and use >> any free SAML 2.0 compliant IdP server [5] for testing. >> >> For this I researched and explored ways of implementing that and have a >> first draft which needs to be discussed and iterated in the ACS dev >> community. >> >> After comparing many opensource SAML 2.0 implementations, their >> security and stability, we'll use OpenSAML [2] which is the most stable >> and widely used Java implementation. Since within CloudStack, we've been >> using Spring (for DI etc.) I explored and found Spring security SAML >> extension [3] which fits perfectly and it too uses OpenSAML. >> >> I also have a working proof-of-concept general implementation using the >> above based on which I've put together a design document draft on this >> feature for your review: >> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/SAML+2.0+Plugin >> >> There are some complex stories/cases around security and user management >> in CloudStack, some of which are listed under 'open ended questions' in >> the draft above most of which I'm not sure how to address. >> >> After first round of discussion, I'll go ahead with a basic >> implementation of this feature. The second phase will address broader >> use cases. >> >> Comments, questions, suggestions? >> >> References: >> >> [1] http://en.wikipedia.org/wiki/SAML_2.0 >> [2] https://wiki.shibboleth.net/confluence/display/OpenSAML/Home >> [3] http://projects.spring.io/spring-security-saml >> [4] John Burwell's talk on SSO in CloudStack: >> https://www.youtube.com/watch?v=kCR0TzrfCOM >> [5] https://idp.ssocircle.com/sso/UI/Login >> >> Regards, >> Rohit Yadav >> Software Architect, ShapeBlue >> M. +91 88 262 30892 | rohit.ya...@shapeblue.com >> Blog: bhaisaab.org | Twitter: @_bhaisaab >> >> >> Find out more about ShapeBlue and our range of CloudStack related >>services >> >> IaaS Cloud Design & >> Build<http://shapeblue.com/iaas-cloud-design-and-build//> >> CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/> >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >> CloudStack Infrastructure >> Support<http://shapeblue.com/cloudstack-infrastructure-support/> >> CloudStack Bootcamp Training >> Courses<http://shapeblue.com/cloudstack-training/> >> >> This email and any attachments to it may be confidential and are >> intended solely for the use of the individual to whom it is addressed. >> Any views or opinions expressed are solely those of the author and do >> not necessarily represent those of Shape Blue Ltd or related companies. >> If you are not the intended recipient of this email, you must neither >> take any action based upon its contents, nor copy or show it to anyone. >> Please contact the sender if you believe you have received this email in >> error. Shape Blue Ltd is a company incorporated in England & Wales. >> ShapeBlue Services India LLP is a company incorporated in India and is >> operated under license from Shape Blue Ltd. Shape Blue Brasil >> Consultoria Ltda is a company incorporated in Brasil and is operated >> under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company >> registered by The Republic of South Africa and is traded under license >> from Shape Blue Ltd. ShapeBlue is a registered trademark. > >-- >Rohit Yadav >Software Architect, ShapeBlue >M. +41 779015219 | rohit.ya...@shapeblue.com >Blog: bhaisaab.org | Twitter: @_bhaisaab > > >Find out more about ShapeBlue and our range of CloudStack related services > >IaaS Cloud Design & >Build<http://shapeblue.com/iaas-cloud-design-and-build//> >CSForge rapid IaaS deployment framework<http://shapeblue.com/csforge/> >CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >CloudStack Infrastructure >Support<http://shapeblue.com/cloudstack-infrastructure-support/> >CloudStack Bootcamp Training >Courses<http://shapeblue.com/cloudstack-training/> > >This email and any attachments to it may be confidential and are intended >solely for the use of the individual to whom it is addressed. Any views >or opinions expressed are solely those of the author and do not >necessarily represent those of Shape Blue Ltd or related companies. If >you are not the intended recipient of this email, you must neither take >any action based upon its contents, nor copy or show it to anyone. Please >contact the sender if you believe you have received this email in error. >Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >Services India LLP is a company incorporated in India and is operated >under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is >a company incorporated in Brasil and is operated under license from Shape >Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of >South Africa and is traded under license from Shape Blue Ltd. ShapeBlue >is a registered trademark.