[one-users] Federated authentication with SAML via simpleSAMLphp

Mihály Héder mihaly.heder at sztaki.mta.hu
Thu Jan 17 06:30:37 PST 2013


Dear All,

let me introduce our OpenNebula Sunstone-SimpleSAMLphp integration solution:
http://ssp-for-opennebula.sztaki.hu/

And here is the corresponding patch in the issue tracker:
http://dev.opennebula.org/issues/1731

In a nutshell, with this solution we can use our SAML-based
institutional Single Sign On system for delegating resources in our
cloud. When a user first time accesses the Sunstone frontend, its user
gets created within nebula. Based on an entitlement, he/she will be
put in an OpenNebula group that was created with certain quotas for a
project or department by us, administrators. Users can participate in
many groups, in which case they have to choose their group for each
session. Unfortunately nebula does not support multiple group
membership, so we move these users each time using the auth module.

Now we have this work flow to grant access to our cloud:
-a bunch of people requests resources from the cloud for their fancy
project. We call this bunch of people a Virtual Organization.
-we create a nebula group for them with quotas. In our VO software we
entitle some of these people to be VO managers. Then, they can invite,
remove others, etc. People from other institutes in the
national/european SAML federations can also be invited. But all this
happens outside nebula so we only have to create the group and that's
it. Moreover they can get e.g. their own trac or wiki that are also
SAML enabled, and attached for the VO.  Then use Single Sign-On
between them.

Anyway, this patch and the corresponding simpleSAMLphp modules made
our lives much easier. We hope it will help some of you out there as
well. Unfortunately, because of the nature of the task many smaller
changes scattered around the web code needed to be made, e.g. for
disabling the normal login screen, etc. But these are not core stuff,
so we hope one our patch can make it one day into the main code base.

If you have any questions/suggestions don't hesitate to contact us!

Cheers,
Mihály Héder, Milán Unicsovics
MTA SZTAKI ITAK


More information about the Users mailing list