Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-8457 Make SAML plugin production grade
  3. CLOUDSTACK-8462

SAML: Auth plugin should handle authentication, admins to authorize users before they can authenticated



    • Type: Sub-task
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.5.2, 4.6.0, Future
    • Component/s: SAML
    • Security Level: Public (Anyone can view this level - this is the default.)
    • Labels:


      At the time of writing the auth plugin, I did not consider many security issues. The current SAML2 auth plugin would automatically create users and allow them inside CloudStack which in production could cause a severe security issue, especially in environment with public IdP server infra such as large institutions. Therefore, the idea is to let admin add/import users manually or from LDAP and then allow them to be SAML authenticated. This delegates the security issue and account creation/handling to the admin or some other business layer/system.

      The following scenario would be supported:

      • Admin adds a user either manually or importing from LDAP etc.
      • Admin can then specify (multi-select or through API) a list of one or more users with their username (or any unique ID) to be allowed to be SAML authenticated

      Assumption here is that every SAML authenticated user would have a unique username mapped into CloudStack. Edge case handling: In case multiple users exist in CloudStack with the same username (could be across domains) and if the admin enables SAML authentication for all those user account, then the plugin would assume all the users as the same and allowed by the SAML authenticated user. Then, upon log in, the user should be able to select/switch between all such accounts under any of the domains.




            • Assignee:
              bhaisaab Rohit Yadav
              bhaisaab Rohit Yadav
            • Votes:
              0 Vote for this issue
              4 Start watching this issue


              • Created: