Rohit Yadav created CLOUDSTACK-8037:
---------------------------------------
Summary: Survey security of using SAML plugin in production and
test against standard IDPs
Key: CLOUDSTACK-8037
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8037
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Reporter: Rohit Yadav
Assignee: Rohit Yadav
Priority: Critical
Fix For: 4.5.0, 4.6.0
Since SAML plugin will ship with 4.5, and while it's not enabled by default we
need to do a lot of testing and make sure whatever we're shipping works
generally in most cases. While the protocol does not dictate what different
metadata an IDP should return other than NameID (like a UUID), it needs to work
just based on that and provide other mechanisms to support additional metadata
such as email, name, timezone etc.
The other main aim is to test various possible loopholes it could have or
exploits or bad conflicts with respect to transient vs non-transient/unique
NameIDs and SAML token signature checking as well as HTTP-redirected
authentication process. Final set of tests (possibly automated tests) or manual
QA against known standard IDP implementations for example openidp, ssocircle,
shibboleth etc.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
