[
https://issues.apache.org/jira/browse/CLOUDSTACK-8462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14547677#comment-14547677
]
Rohit Yadav commented on CLOUDSTACK-8462:
-----------------------------------------
[~rajanik] - thanks for the question. The idea is that admin will import or add
a user and then authorize (set permissions, who can do what) to use SAML
authentication or not (with some options like IdP server etc if needed). The
SAML plugin would only do authentication (allow a user in if IdP token
authenticates them -- check they are who they say they are). Hope this helps.
> SAML: Auth plugin should handle authentication, admins to authorize users
> before they can authenticated
> -------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8462
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8462
> Project: CloudStack
> Issue Type: Sub-task
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: SAML
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Priority: Critical
> Fix For: Future, 4.6.0, 4.5.2
>
>
> At the time of writing the auth plugin, I did not consider many security
> issues. The current SAML2 auth plugin would automatically create users and
> allow them inside CloudStack which in production could cause a severe
> security issue, especially in environment with public IdP server infra such
> as large institutions. Therefore, the idea is to let admin add/import users
> manually or from LDAP and then allow them to be SAML authenticated. This
> delegates the security issue and account creation/handling to the admin or
> some other business layer/system.
> The following scenario would be supported:
> - Admin adds a user either manually or importing from LDAP etc.
> - Admin can then specify (multi-select or through API) a list of one or more
> users with their username (or any unique ID) to be allowed to be SAML
> authenticated
> Assumption here is that every SAML authenticated user would have a unique
> username mapped into CloudStack. Edge case handling: In case multiple users
> exist in CloudStack with the same username (could be across domains) and if
> the admin enables SAML authentication for all those user account, then the
> plugin would assume all the users as the same and allowed by the SAML
> authenticated user. Then, upon log in, the user should be able to
> select/switch between all such accounts under any of the domains.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
