[one-users] Federated authentication with SAML via simpleSAMLphp
Mihály Héder
mihaly.heder at sztaki.mta.hu
Mon Jan 21 03:04:13 PST 2013
Hi!
Your'e welcome! Actually it's great news that our patch will make it
to the upstream!
If you or anyone else see any room for improvements in the code or in
the documentation don't hesitate to contact us and we will fix it.
Cheers
Mihály
On 18 January 2013 11:00, Ruben S. Montero <rsmontero at opennebula.org> wrote:
> Hi
>
> THANKS again for another wonderful contribution!
>
> For sure this would be quite useful for any OpenNebula user interested in
> federation. The patch approach is totally aligned with the OpenNebula
> architecture so I think it can be mostly committed upstream as is.
>
> I am planning this for 4.0 (we already have quite a bunch of things, but
> let's try). If this patch cannot make it for 4.0 it will be integrated after
> that. In any case the AuthZ/AuthN subsystem is now stable and the patch will
> easily apply to 4.0.
>
> Again, thanks for this :)
>
> Ruben
>
>
> On Thu, Jan 17, 2013 at 3:30 PM, Mihály Héder <mihaly.heder at sztaki.mta.hu>
> wrote:
>>
>> Dear All,
>>
>> let me introduce our OpenNebula Sunstone-SimpleSAMLphp integration
>> solution:
>> http://ssp-for-opennebula.sztaki.hu/
>>
>> And here is the corresponding patch in the issue tracker:
>> http://dev.opennebula.org/issues/1731
>>
>> In a nutshell, with this solution we can use our SAML-based
>> institutional Single Sign On system for delegating resources in our
>> cloud. When a user first time accesses the Sunstone frontend, its user
>> gets created within nebula. Based on an entitlement, he/she will be
>> put in an OpenNebula group that was created with certain quotas for a
>> project or department by us, administrators. Users can participate in
>> many groups, in which case they have to choose their group for each
>> session. Unfortunately nebula does not support multiple group
>> membership, so we move these users each time using the auth module.
>>
>> Now we have this work flow to grant access to our cloud:
>> -a bunch of people requests resources from the cloud for their fancy
>> project. We call this bunch of people a Virtual Organization.
>> -we create a nebula group for them with quotas. In our VO software we
>> entitle some of these people to be VO managers. Then, they can invite,
>> remove others, etc. People from other institutes in the
>> national/european SAML federations can also be invited. But all this
>> happens outside nebula so we only have to create the group and that's
>> it. Moreover they can get e.g. their own trac or wiki that are also
>> SAML enabled, and attached for the VO. Then use Single Sign-On
>> between them.
>>
>> Anyway, this patch and the corresponding simpleSAMLphp modules made
>> our lives much easier. We hope it will help some of you out there as
>> well. Unfortunately, because of the nature of the task many smaller
>> changes scattered around the web code needed to be made, e.g. for
>> disabling the normal login screen, etc. But these are not core stuff,
>> so we hope one our patch can make it one day into the main code base.
>>
>> If you have any questions/suggestions don't hesitate to contact us!
>>
>> Cheers,
>> Mihály Héder, Milán Unicsovics
>> MTA SZTAKI ITAK
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>
>
>
> --
> Ruben S. Montero, PhD
> Project co-Lead and Chief Architect
> OpenNebula - The Open Source Solution for Data Center Virtualization
> www.OpenNebula.org | rsmontero at opennebula.org | @OpenNebula
More information about the Users
mailing list