[one-users] Federated authentication with SAML via simpleSAMLphp

Ruben S. Montero rsmontero at opennebula.org
Fri Jan 18 02:00:45 PST 2013


Hi

THANKS again for another wonderful contribution!

For sure this would be quite useful for any OpenNebula user interested in
federation. The patch  approach is totally aligned with the OpenNebula
architecture so I think it can be mostly committed upstream as is.

I am planning this for 4.0 (we already have quite a bunch of things, but
let's try). If this patch cannot make it for 4.0 it will be integrated
after that. In any case the AuthZ/AuthN subsystem is now stable and the
patch will easily apply to 4.0.

Again, thanks for this :)

Ruben


On Thu, Jan 17, 2013 at 3:30 PM, Mihály Héder <mihaly.heder at sztaki.mta.hu>wrote:

> Dear All,
>
> let me introduce our OpenNebula Sunstone-SimpleSAMLphp integration
> solution:
> http://ssp-for-opennebula.sztaki.hu/
>
> And here is the corresponding patch in the issue tracker:
> http://dev.opennebula.org/issues/1731
>
> In a nutshell, with this solution we can use our SAML-based
> institutional Single Sign On system for delegating resources in our
> cloud. When a user first time accesses the Sunstone frontend, its user
> gets created within nebula. Based on an entitlement, he/she will be
> put in an OpenNebula group that was created with certain quotas for a
> project or department by us, administrators. Users can participate in
> many groups, in which case they have to choose their group for each
> session. Unfortunately nebula does not support multiple group
> membership, so we move these users each time using the auth module.
>
> Now we have this work flow to grant access to our cloud:
> -a bunch of people requests resources from the cloud for their fancy
> project. We call this bunch of people a Virtual Organization.
> -we create a nebula group for them with quotas. In our VO software we
> entitle some of these people to be VO managers. Then, they can invite,
> remove others, etc. People from other institutes in the
> national/european SAML federations can also be invited. But all this
> happens outside nebula so we only have to create the group and that's
> it. Moreover they can get e.g. their own trac or wiki that are also
> SAML enabled, and attached for the VO.  Then use Single Sign-On
> between them.
>
> Anyway, this patch and the corresponding simpleSAMLphp modules made
> our lives much easier. We hope it will help some of you out there as
> well. Unfortunately, because of the nature of the task many smaller
> changes scattered around the web code needed to be made, e.g. for
> disabling the normal login screen, etc. But these are not core stuff,
> so we hope one our patch can make it one day into the main code base.
>
> If you have any questions/suggestions don't hesitate to contact us!
>
> Cheers,
> Mihály Héder, Milán Unicsovics
> MTA SZTAKI ITAK
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>



-- 
Ruben S. Montero, PhD
Project co-Lead and Chief Architect
OpenNebula - The Open Source Solution for Data Center Virtualization
www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130118/9d319e45/attachment-0002.htm>


More information about the Users mailing list