OpenNebula

We are moving this integration to 4.2 as we think we won't have time to do it. It's not only adding the code to the repo, we also have to create tests for it, integrate other parts that require authentication appart from Sunstone, etc.

Anyway, we think it will be great to have the drivers ready for 4.0 and that could be installed easily on top of it. We can discuss the best method to do it here or by any other means.

Thank you!

Here is the updated patch for Sunstone + SimpleSAMLphp integration module. It can be applied to OpenNebula 4.1 source code.

Please let us know, if we can help in writing tests or in any other task!

Hi Milán Unicsovics,

Sorry for taking to long to consider this patch. Is this the last version of the SAML integration? I will take a look to the code during these days (next week), so if you have any updated version let me know, so we can consider it.

Thank you

Hello!

I think the OpenNebula SAML integration module matured enough to review it!

As I promised, it has less software dependency, the actual version can work with any SAML authentication system, but we recommend to use it with Shibboleth [1]. The configuration with Shibboleth is easy, you can configure the behaviour of the authentication in sunstone-server.conf, see below. The patch can be applied by just running a short install script, or if you want I can create a patch file for it. This module is for OpenNebula 4.4, but we can easily update it for higher versions of OpenNebula (just a few ERB file have to be modified). We mofified only a limited set of orignial OpenNebula source code (5-10 lines of code).

Some more info:¶

Description
This is a new authentication module for OpenNebula Sunstone. Shib Cloud Auth module is useful, when a SingleSignOn login is needed, where the Service Provider realised with a Shibboleth SP.
In this case, login handled by Shibboleth and so the Sunstone auth module (this one) controls the authorization of the users.
If a new user wants to login, this module creates a new account for the user. The user's primary group and his secondary groups also created from the entitlements that come to Shibboleth in a SAML message.

Configuration
Configuration file is at the end of the main Sunstone configuration file (see sunstone-server.conf).
Some configuration option is self-descriping (like :shib_host, :shib_logoutpage, :one_auth_for_shib). The rest of the options modify the behaviour of this authentication module.
First an Apache HTTP VirtualHost location have to be created, a possible example can be see here:
<Location /one> # shibboleth shield
AllowOverride all
Order allow,deny
Allow from all
AuthType shibboleth
require valid-use
ShibUseHeaders On
ShibRequireSession On
</Location>

When OpenNebula authorizes a user this module uses some Apache HTTP header variable, where the SAML message datas are stored. After a successful authentication from the Apache HTTP header variables this module can read the actual datas of the user.
Example:
:shib_username: HTTP_EPPN
:shib_entitlement: HTTP_ENTITLEMENT
:shib_entitlement_priority:
- admin
- alpha
- bravo

In the example above the name of the user are stored in the HTTP_EPPN header variable, and the entitlements / privileges are stored in the HTTP_ENTITLEMENT header variable. The primary group of the user is calculated from the shib_entitlement_priority list, where the first existing groupname will be his primary group.

If you have any ideas to improve the module or modify it to be able to get merged into OpenNebula mainstream, get in touch with us!

[1] https://shibboleth.net/