[
https://issues.apache.org/jira/browse/CLOUDSTACK-8462?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14573184#comment-14573184
]
ASF subversion and git services commented on CLOUDSTACK-8462:
-------------------------------------------------------------
Commit 2a177554e8d674a6e5377a8879a3bd3857ad7e8f in cloudstack's branch
refs/heads/saml-production-grade from [[email protected]]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=2a17755 ]
CLOUDSTACK-8462: Add new User Source
By reusing the source field, we can find if a user has been SAML enabled or not.
The limitation is that, once say a user is imported by LDAP and then SAML
enabled - they won't be able to use LDAP for authentication
Signed-off-by: Rohit Yadav <[email protected]>
> SAML: Auth plugin should handle authentication, admins to authorize users
> before they can authenticated
> -------------------------------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8462
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8462
> Project: CloudStack
> Issue Type: Sub-task
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: SAML
> Reporter: Rohit Yadav
> Assignee: Rohit Yadav
> Priority: Critical
> Fix For: Future, 4.6.0, 4.5.2
>
>
> At the time of writing the auth plugin, I did not consider many security
> issues. The current SAML2 auth plugin would automatically create users and
> allow them inside CloudStack which in production could cause a severe
> security issue, especially in environment with public IdP server infra such
> as large institutions. Therefore, the idea is to let admin add/import users
> manually or from LDAP and then allow them to be SAML authenticated. This
> delegates the security issue and account creation/handling to the admin or
> some other business layer/system.
> The following scenario would be supported:
> - Admin adds a user either manually or importing from LDAP etc.
> - Admin can then specify (multi-select or through API) a list of one or more
> users with their username (or any unique ID) to be allowed to be SAML
> authenticated
> Assumption here is that every SAML authenticated user would have a unique
> username mapped into CloudStack. Edge case handling: In case multiple users
> exist in CloudStack with the same username (could be across domains) and if
> the admin enables SAML authentication for all those user account, then the
> plugin would assume all the users as the same and allowed by the SAML
> authenticated user. Then, upon log in, the user should be able to
> select/switch between all such accounts under any of the domains.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
