mirror of https://github.com/apache/cloudstack.git
20ce346f3a
* Move config options to SAML plugin
This moves all configuration options from Config.java to SAML auth manager. This
allows us to use the config framework.
* Make SAML2UserAuthenticator validate SAML token in httprequest
* Make logout API use ConfigKeys defined in saml auth manager
* Before doing SAML auth, cleanup local states and cookies
* Fix configurations in 4.5.1 to 4.5.2 upgrade path
* Fail if idp has no sso URL defined
* Add a default set of SAML SP cert for testing purposes
Now to enable and use saml, one needs to do a deploydb-saml after doing a deploydb
* UI remembers login selections, IDP server
- CLOUDSTACK-8458:
* On UI show dropdown list of discovered IdPs
* Support SAML Federation, where there may be more than one IdP
- New datastructure to hold metadata of SP or IdP
- Recursive processing of IdP metadata
- Fix login/logout APIs to get new interface and metadata data structure
- Add org/contact information to metadata
- Add new API: listIdps that returns list of all discovered IdPs
- Refactor and cleanup code and tests
- CLOUDSTACK-8459:
* Add HTTP-POST binding to SP metadata
* Authn requests must use either HTTP POST/Artifact binding
- CLOUDSTACK-8461:
* Use unspecified x509 cert as a fallback encryption/signing key
In case a IDP's metadata does not clearly say if their certificates need to be
used as signing or encryption and we don't find that, fallback to use the
unspecified key itself.
- CLOUDSTACK-8462:
* SAML Auth plugin should not do authorization
This removes logic to create user if they don't exist. This strictly now
assumes that users have been already created/imported/authorized by admins.
As per SAML v2.0 spec section 4.1.2, the SP provider should create authn requests using
either HTTP POST or HTTP Artifact binding to transfer the message through a
user agent (browser in our case). The use of HTTP Redirect was one of the reasons
why this plugin failed to work for some IdP servers that enforce this.
* Add new User Source
By reusing the source field, we can find if a user has been SAML enabled or not.
The limitation is that, once say a user is imported by LDAP and then SAML
enabled - they won't be able to use LDAP for authentication
* UI should allow users to pass in domain they want to log into, though it is
optional and needed only when a user has accounts across domains with same
username and authorized IDP server
* SAML users need to be authorized before they can authenticate
- New column entity to track saml entity id for a user
- Reusing source column to check if user is saml enabled or not
- Add new source types, saml2 and saml2disabled
- New table saml_token to solve the issue of multiple users across domains and
to enforce security by tracking authn token and checking the samlresponse for
the tokens
- Implement API: authorizeSamlSso to enable/disable saml authentication for a
user
- Stubs to implement saml token flushing/expiry
- CLOUDSTACK-8463:
* Use username attribute specified in global setting
Use username attribute defined by admin from a global setting
In case of encrypted assertion/attributes:
- Decrypt them
- Check signature if provided to check authenticity of message using IdP's
public key and SP's private key
- Loop through attributes to find the username
- CLOUDSTACK-8538:
* Add new global config for SAML request sig algorithm
- CLOUDSTACK-8539:
* Add metadata refresh timer task and token expiring
- Fix domain path and save it to saml_tokens
- Expire hour old saml tokens
- Refresh metadata based on timer task
- Fix unit tests
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This closes #489
|
||
|---|---|---|
| .. | ||
| data-217to218.sql | ||
| schema-20to21.sql | ||
| schema-21to22-cleanup.sql | ||
| schema-21to22-premium.sql | ||
| schema-21to22.sql | ||
| schema-22beta1to22beta2.sql | ||
| schema-22beta3to22beta4.sql | ||
| schema-30to301.sql | ||
| schema-40to410-cleanup.sql | ||
| schema-40to410.sql | ||
| schema-217to218.sql | ||
| schema-221to222-cleanup.sql | ||
| schema-221to222-premium.sql | ||
| schema-221to222.sql | ||
| schema-222to224-cleanup.sql | ||
| schema-222to224-premium.sql | ||
| schema-222to224.sql | ||
| schema-224to225-cleanup.sql | ||
| schema-224to225.sql | ||
| schema-225to226.sql | ||
| schema-227to228-premium.sql | ||
| schema-227to228.sql | ||
| schema-228to229.sql | ||
| schema-229to2210.sql | ||
| schema-301to302-cleanup.sql | ||
| schema-301to302.sql | ||
| schema-302to40-cleanup.sql | ||
| schema-302to40.sql | ||
| schema-302to303.sql | ||
| schema-304to305-cleanup.sql | ||
| schema-304to305.sql | ||
| schema-305to306-cleanup.sql | ||
| schema-305to306.sql | ||
| schema-306to307.sql | ||
| schema-307to410-cleanup.sql | ||
| schema-307to410.sql | ||
| schema-410to420-cleanup.sql | ||
| schema-410to420.sql | ||
| schema-420to421.sql | ||
| schema-421to430-cleanup.sql | ||
| schema-421to430.sql | ||
| schema-430to440-cleanup.sql | ||
| schema-430to440.sql | ||
| schema-440to441-cleanup.sql | ||
| schema-440to441.sql | ||
| schema-441to442.sql | ||
| schema-442to450-cleanup.sql | ||
| schema-442to450.sql | ||
| schema-443to444.sql | ||
| schema-450to451-cleanup.sql | ||
| schema-450to451.sql | ||
| schema-451to452-cleanup.sql | ||
| schema-451to452.sql | ||
| schema-2210to2211.sql | ||
| schema-2211to2212-premium.sql | ||
| schema-2211to2212.sql | ||
| schema-2212to2213.sql | ||
| schema-2213to2214.sql | ||
| schema-2214to30-cleanup.sql | ||
| schema-2214to30.sql | ||
| schema-level.sql | ||
| schema-snapshot-217to224.sql | ||
| schema-snapshot-223to224.sql | ||