mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
107595a6a5
* Move config options to SAML plugin
This moves all configuration options from Config.java to SAML auth manager. This
allows us to use the config framework.
* Make SAML2UserAuthenticator validate SAML token in httprequest
* Make logout API use ConfigKeys defined in saml auth manager
* Before doing SAML auth, cleanup local states and cookies
* Fix configurations in 4.5.1 to 4.5.2 upgrade path
* Fail if idp has no sso URL defined
* Add a default set of SAML SP cert for testing purposes
Now to enable and use saml, one needs to do a deploydb-saml after doing a deploydb
* UI remembers login selections, IDP server
- CLOUDSTACK-8458:
* On UI show dropdown list of discovered IdPs
* Support SAML Federation, where there may be more than one IdP
- New datastructure to hold metadata of SP or IdP
- Recursive processing of IdP metadata
- Fix login/logout APIs to get new interface and metadata data structure
- Add org/contact information to metadata
- Add new API: listIdps that returns list of all discovered IdPs
- Refactor and cleanup code and tests
- CLOUDSTACK-8459:
* Add HTTP-POST binding to SP metadata
* Authn requests must use either HTTP POST/Artifact binding
- CLOUDSTACK-8461:
* Use unspecified x509 cert as a fallback encryption/signing key
In case a IDP's metadata does not clearly say if their certificates need to be
used as signing or encryption and we don't find that, fallback to use the
unspecified key itself.
- CLOUDSTACK-8462:
* SAML Auth plugin should not do authorization
This removes logic to create user if they don't exist. This strictly now
assumes that users have been already created/imported/authorized by admins.
As per SAML v2.0 spec section 4.1.2, the SP provider should create authn requests using
either HTTP POST or HTTP Artifact binding to transfer the message through a
user agent (browser in our case). The use of HTTP Redirect was one of the reasons
why this plugin failed to work for some IdP servers that enforce this.
* Add new User Source
By reusing the source field, we can find if a user has been SAML enabled or not.
The limitation is that, once say a user is imported by LDAP and then SAML
enabled - they won't be able to use LDAP for authentication
* UI should allow users to pass in domain they want to log into, though it is
optional and needed only when a user has accounts across domains with same
username and authorized IDP server
* SAML users need to be authorized before they can authenticate
- New column entity to track saml entity id for a user
- Reusing source column to check if user is saml enabled or not
- Add new source types, saml2 and saml2disabled
- New table saml_token to solve the issue of multiple users across domains and
to enforce security by tracking authn token and checking the samlresponse for
the tokens
- Implement API: authorizeSamlSso to enable/disable saml authentication for a
user
- Stubs to implement saml token flushing/expiry
- CLOUDSTACK-8463:
* Use username attribute specified in global setting
Use username attribute defined by admin from a global setting
In case of encrypted assertion/attributes:
- Decrypt them
- Check signature if provided to check authenticity of message using IdP's
public key and SP's private key
- Loop through attributes to find the username
- CLOUDSTACK-8538:
* Add new global config for SAML request sig algorithm
- CLOUDSTACK-8539:
* Add metadata refresh timer task and token expiring
- Fix domain path and save it to saml_tokens
- Expire hour old saml tokens
- Refresh metadata based on timer task
- Fix unit tests
This closes #489
(cherry picked from commit 20ce346f3acb794b08a51841bab2188d426bf7dc)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
Conflicts:
client/WEB-INF/classes/resources/messages_hu.properties
plugins/hypervisors/xenserver/src/com/cloud/hypervisor/xenserver/resource/wrapper/xenbase/CitrixCheckHealthCommandWrapper.java
plugins/user-authenticators/saml2/src/org/apache/cloudstack/api/command/SAML2LoginAPIAuthenticatorCmd.java
ui/scripts/ui-custom/login.js
87 lines
4.0 KiB
SQL
87 lines
4.0 KiB
SQL
-- Licensed to the Apache Software Foundation (ASF) under one
|
|
-- or more contributor license agreements. See the NOTICE file
|
|
-- distributed with this work for additional information
|
|
-- regarding copyright ownership. The ASF licenses this file
|
|
-- to you under the Apache License, Version 2.0 (the
|
|
-- "License"); you may not use this file except in compliance
|
|
-- with the License. You may obtain a copy of the License at
|
|
--
|
|
-- http://www.apache.org/licenses/LICENSE-2.0
|
|
--
|
|
-- Unless required by applicable law or agreed to in writing,
|
|
-- software distributed under the License is distributed on an
|
|
-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
-- KIND, either express or implied. See the License for the
|
|
-- specific language governing permissions and limitations
|
|
-- under the License.
|
|
|
|
-- Add a default ROOT domain
|
|
use cloud;
|
|
|
|
INSERT INTO `cloud`.`domain` (id, uuid, name, parent, path, owner) VALUES
|
|
(1, UUID(), 'ROOT', NULL, '/', 2);
|
|
|
|
-- Add system and admin accounts
|
|
INSERT INTO `cloud`.`account` (id, uuid, account_name, type, domain_id, state) VALUES
|
|
(1, UUID(), 'system', 1, 1, 'enabled');
|
|
|
|
INSERT INTO `cloud`.`account` (id, uuid, account_name, type, domain_id, state) VALUES
|
|
(2, UUID(), 'admin', 1, 1, 'enabled');
|
|
|
|
-- Add system user
|
|
INSERT INTO `cloud`.`user` (id, uuid, username, password, account_id, firstname,
|
|
lastname, email, state, created) VALUES (1, UUID(), 'system', RAND(),
|
|
'1', 'system', 'cloud', NULL, 'enabled', NOW());
|
|
|
|
-- Add system user with encrypted password=password
|
|
INSERT INTO `cloud`.`user` (id, uuid, username, password, account_id, firstname,
|
|
lastname, email, state, created) VALUES (2, UUID(), 'admin', '5f4dcc3b5aa765d61d8327deb882cf99',
|
|
'2', 'Admin', 'User', 'admin@mailprovider.com', 'disabled', NOW());
|
|
|
|
-- Add configurations
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Hidden', 'DEFAULT', 'management-server', 'init', 'false');
|
|
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'integration.api.port', '8096');
|
|
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'secstorage.allowed.internal.sites', '0.0.0.0/0');
|
|
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'account.cleanup.interval', '60');
|
|
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'expunge.delay', '60');
|
|
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'expunge.interval', '60');
|
|
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'cluster.cpu.allocated.capacity.disablethreshold', '0.95');
|
|
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'cluster.memory.allocated.capacity.disablethreshold', '0.95');
|
|
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'pool.storage.allocated.capacity.disablethreshold', '0.95');
|
|
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'pool.storage.capacity.disablethreshold', '0.95');
|
|
|
|
-- Add developer configuration entry; allows management server to be run as a user other than "cloud"
|
|
INSERT INTO `cloud`.`configuration` (category, instance, component, name, value)
|
|
VALUES ('Advanced', 'DEFAULT', 'management-server',
|
|
'developer', 'true');
|
|
|
|
commit;
|