[cf-dev] UAA, SAML, and LDAP questions

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[cf-dev] UAA, SAML, and LDAP questions

Mike Youngstrom
We're investigating converting our UAA from a custom fork that integrates with our organization's SSO to the stock UAA using SAML and/or LDAP.  We would like to maintain SSO functionalities for our web tools but after doing some reading SAML for the CLI might not work the way we expect it.

In order to log into the CLI when using SAML does it require the user to go to a web page and get a one time login token?  cf login --sso?  If so, I don't think that will work for our and some CLI deployment automation we do.

Is it possible to configure UAA to use both SAML and LDAP?  The CLI could use LDAP and the web use SAML?

Thanks,
Mike

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

Filip Hanik
yes, it is entirely possible to run both SAML (as many providers as you need) and LDAP (single provider).

we are keeping an eye on the SAML ECP profile to make it easier to handle password grants as well as the CLI itself. 

Filip


On Wed, May 13, 2015 at 1:34 PM, Mike Youngstrom <[hidden email]> wrote:
We're investigating converting our UAA from a custom fork that integrates with our organization's SSO to the stock UAA using SAML and/or LDAP.  We would like to maintain SSO functionalities for our web tools but after doing some reading SAML for the CLI might not work the way we expect it.

In order to log into the CLI when using SAML does it require the user to go to a web page and get a one time login token?  cf login --sso?  If so, I don't think that will work for our and some CLI deployment automation we do.

Is it possible to configure UAA to use both SAML and LDAP?  The CLI could use LDAP and the web use SAML?

Thanks,
Mike

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev



_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

Mike Youngstrom
Great!  I'll dig in and give it a try then.  Thanks Filip!

Mike

On Wed, May 13, 2015 at 1:36 PM, Filip Hanik <[hidden email]> wrote:
yes, it is entirely possible to run both SAML (as many providers as you need) and LDAP (single provider).

we are keeping an eye on the SAML ECP profile to make it easier to handle password grants as well as the CLI itself. 

Filip


On Wed, May 13, 2015 at 1:34 PM, Mike Youngstrom <[hidden email]> wrote:
We're investigating converting our UAA from a custom fork that integrates with our organization's SSO to the stock UAA using SAML and/or LDAP.  We would like to maintain SSO functionalities for our web tools but after doing some reading SAML for the CLI might not work the way we expect it.

In order to log into the CLI when using SAML does it require the user to go to a web page and get a one time login token?  cf login --sso?  If so, I don't think that will work for our and some CLI deployment automation we do.

Is it possible to configure UAA to use both SAML and LDAP?  The CLI could use LDAP and the web use SAML?

Thanks,
Mike

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev




_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

aaron_huber
Administrator
In reply to this post by Filip Hanik
Would the same user logging in via SAML and LDAP result in two different UAA user objects with different sources, so that the user would have two different sets of orgs/spaces/apps?

Aaron
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

Filip Hanik
yes, it would result in two different shadow accounts, differentiated by the value of the user's origin field



On Wed, May 13, 2015 at 2:08 PM, aaron_huber <[hidden email]> wrote:
Would the same user logging in via SAML and LDAP result in two different UAA
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?

Aaron



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-UAA-SAML-and-LDAP-questions-tp62p65.html
Sent from the CF Dev mailing list archive at Nabble.com.
_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

Mike Youngstrom
Well, that's a bummer.  Is there any way around that?  Our SAML is backed by the same LDAP so they are the same user.  We can provide a unique ID to correlate SAML with LDAP users.

Mike

On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <[hidden email]> wrote:
yes, it would result in two different shadow accounts, differentiated by the value of the user's origin field



On Wed, May 13, 2015 at 2:08 PM, aaron_huber <[hidden email]> wrote:
Would the same user logging in via SAML and LDAP result in two different UAA
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?

Aaron



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-UAA-SAML-and-LDAP-questions-tp62p65.html
Sent from the CF Dev mailing list archive at Nabble.com.
_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev



_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

aaron_huber
Administrator

That’s the main concern we have as well – we currently need LDAP for the CLI since SAML doesn’t work in that case, but we’d like SAML for web-based interactions (SSO in a portal, etc.).  But at present it seems like that’s not possible without the user having to deal with effectively two separate accounts.

 

Aaron

 

From: Mike Youngstrom [mailto:[hidden email]]
Sent: Wednesday, May 13, 2015 1:34 PM
To: Filip Hanik
Cc: Huber, Aaron M; CF Developers Mailing List
Subject: Re: [cf-dev] UAA, SAML, and LDAP questions

 

Well, that's a bummer.  Is there any way around that?  Our SAML is backed by the same LDAP so they are the same user.  We can provide a unique ID to correlate SAML with LDAP users.

 

Mike

 

On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <[hidden email]> wrote:

yes, it would result in two different shadow accounts, differentiated by the value of the user's origin field

 

 

 

On Wed, May 13, 2015 at 2:08 PM, aaron_huber <[hidden email]> wrote:

Would the same user logging in via SAML and LDAP result in two different UAA
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?

Aaron



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-UAA-SAML-and-LDAP-questions-tp62p65.html
Sent from the CF Dev mailing list archive at Nabble.com.

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

Sree Tummidi
Hi Aaron,
You could potentially use the access token (similar to a personal access token used for GitHub API ) to achieve the CLI automation. The access token can either be retrieved via an authentication to the CLI itself or via UAAC.
Regular users would still continue to use the -sso option. 


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Wed, May 13, 2015 at 1:56 PM, Huber, Aaron M <[hidden email]> wrote:

That’s the main concern we have as well – we currently need LDAP for the CLI since SAML doesn’t work in that case, but we’d like SAML for web-based interactions (SSO in a portal, etc.).  But at present it seems like that’s not possible without the user having to deal with effectively two separate accounts.

 

Aaron

 

From: Mike Youngstrom [mailto:[hidden email]]
Sent: Wednesday, May 13, 2015 1:34 PM
To: Filip Hanik
Cc: Huber, Aaron M; CF Developers Mailing List
Subject: Re: [cf-dev] UAA, SAML, and LDAP questions

 

Well, that's a bummer.  Is there any way around that?  Our SAML is backed by the same LDAP so they are the same user.  We can provide a unique ID to correlate SAML with LDAP users.

 

Mike

 

On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <[hidden email]> wrote:

yes, it would result in two different shadow accounts, differentiated by the value of the user's origin field

 

 

 

On Wed, May 13, 2015 at 2:08 PM, aaron_huber <[hidden email]> wrote:

Would the same user logging in via SAML and LDAP result in two different UAA
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?

Aaron



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-UAA-SAML-and-LDAP-questions-tp62p65.html
Sent from the CF Dev mailing list archive at Nabble.com.

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev



_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

Mike Youngstrom
Possibly,  though I think regular user authentication would still be a concern for our users since security forces a rather short TTL for our access tokens.  I'll have to take a look and try a few things.  We may decide to just use LDAP and forget about the SSO integration for now.

Mike

On Wed, May 13, 2015 at 3:03 PM, Sree Tummidi <[hidden email]> wrote:
Hi Aaron,
You could potentially use the access token (similar to a personal access token used for GitHub API ) to achieve the CLI automation. The access token can either be retrieved via an authentication to the CLI itself or via UAAC.
Regular users would still continue to use the -sso option. 


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Wed, May 13, 2015 at 1:56 PM, Huber, Aaron M <[hidden email]> wrote:

That’s the main concern we have as well – we currently need LDAP for the CLI since SAML doesn’t work in that case, but we’d like SAML for web-based interactions (SSO in a portal, etc.).  But at present it seems like that’s not possible without the user having to deal with effectively two separate accounts.

 

Aaron

 

From: Mike Youngstrom [mailto:[hidden email]]
Sent: Wednesday, May 13, 2015 1:34 PM
To: Filip Hanik
Cc: Huber, Aaron M; CF Developers Mailing List
Subject: Re: [cf-dev] UAA, SAML, and LDAP questions

 

Well, that's a bummer.  Is there any way around that?  Our SAML is backed by the same LDAP so they are the same user.  We can provide a unique ID to correlate SAML with LDAP users.

 

Mike

 

On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <[hidden email]> wrote:

yes, it would result in two different shadow accounts, differentiated by the value of the user's origin field

 

 

 

On Wed, May 13, 2015 at 2:08 PM, aaron_huber <[hidden email]> wrote:

Would the same user logging in via SAML and LDAP result in two different UAA
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?

Aaron



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-UAA-SAML-and-LDAP-questions-tp62p65.html
Sent from the CF Dev mailing list archive at Nabble.com.

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev




_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

Filip Hanik
The problem with SAML is that we never see the username. We only receive the username in form of an email address from the SAML IDP. This would not correspond to the username you would log in to LDAP with. 

The use case you describe would indicate we want two different authentication sources represent the same authentication source. 
I believe the correct solution here is to implement the SAML ECP profile. At that point you'd have an option to go LDAP or SAML rather than trying to mix both.

Filip


On Wed, May 13, 2015 at 3:30 PM, Mike Youngstrom <[hidden email]> wrote:
Possibly,  though I think regular user authentication would still be a concern for our users since security forces a rather short TTL for our access tokens.  I'll have to take a look and try a few things.  We may decide to just use LDAP and forget about the SSO integration for now.

Mike

On Wed, May 13, 2015 at 3:03 PM, Sree Tummidi <[hidden email]> wrote:
Hi Aaron,
You could potentially use the access token (similar to a personal access token used for GitHub API ) to achieve the CLI automation. The access token can either be retrieved via an authentication to the CLI itself or via UAAC.
Regular users would still continue to use the -sso option. 


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Wed, May 13, 2015 at 1:56 PM, Huber, Aaron M <[hidden email]> wrote:

That’s the main concern we have as well – we currently need LDAP for the CLI since SAML doesn’t work in that case, but we’d like SAML for web-based interactions (SSO in a portal, etc.).  But at present it seems like that’s not possible without the user having to deal with effectively two separate accounts.

 

Aaron

 

From: Mike Youngstrom [mailto:[hidden email]]
Sent: Wednesday, May 13, 2015 1:34 PM
To: Filip Hanik
Cc: Huber, Aaron M; CF Developers Mailing List
Subject: Re: [cf-dev] UAA, SAML, and LDAP questions

 

Well, that's a bummer.  Is there any way around that?  Our SAML is backed by the same LDAP so they are the same user.  We can provide a unique ID to correlate SAML with LDAP users.

 

Mike

 

On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <[hidden email]> wrote:

yes, it would result in two different shadow accounts, differentiated by the value of the user's origin field

 

 

 

On Wed, May 13, 2015 at 2:08 PM, aaron_huber <[hidden email]> wrote:

Would the same user logging in via SAML and LDAP result in two different UAA
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?

Aaron



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-UAA-SAML-and-LDAP-questions-tp62p65.html
Sent from the CF Dev mailing list archive at Nabble.com.

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev





_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

aaron_huber
Administrator

In our case we use email address as the username via LDAP as well (UPN actually, but same thing) so it would be the same.  Is there a timeline for the ECP profile support?

 

Aaron

 

From: Filip Hanik [mailto:[hidden email]]
Sent: Wednesday, May 13, 2015 3:54 PM
To: Mike Youngstrom
Cc: Sree Tummidi; Huber, Aaron M; CF Developers Mailing List
Subject: Re: [cf-dev] UAA, SAML, and LDAP questions

 

The problem with SAML is that we never see the username. We only receive the username in form of an email address from the SAML IDP. This would not correspond to the username you would log in to LDAP with. 

 

The use case you describe would indicate we want two different authentication sources represent the same authentication source. 

I believe the correct solution here is to implement the SAML ECP profile. At that point you'd have an option to go LDAP or SAML rather than trying to mix both.

 

Filip

 

 

On Wed, May 13, 2015 at 3:30 PM, Mike Youngstrom <[hidden email]> wrote:

Possibly,  though I think regular user authentication would still be a concern for our users since security forces a rather short TTL for our access tokens.  I'll have to take a look and try a few things.  We may decide to just use LDAP and forget about the SSO integration for now.

 

Mike

 

On Wed, May 13, 2015 at 3:03 PM, Sree Tummidi <[hidden email]> wrote:

Hi Aaron,

You could potentially use the access token (similar to a personal access token used for GitHub API ) to achieve the CLI automation. The access token can either be retrieved via an authentication to the CLI itself or via UAAC.

Regular users would still continue to use the -sso option. 

 


Thanks,

Sree Tummidi

Sr. Product Manager

Identity - Pivotal Cloud Foundry

 

 

On Wed, May 13, 2015 at 1:56 PM, Huber, Aaron M <[hidden email]> wrote:

That’s the main concern we have as well – we currently need LDAP for the CLI since SAML doesn’t work in that case, but we’d like SAML for web-based interactions (SSO in a portal, etc.).  But at present it seems like that’s not possible without the user having to deal with effectively two separate accounts.

 

Aaron

 

From: Mike Youngstrom [mailto:[hidden email]]
Sent: Wednesday, May 13, 2015 1:34 PM
To: Filip Hanik
Cc: Huber, Aaron M; CF Developers Mailing List
Subject: Re: [cf-dev] UAA, SAML, and LDAP questions

 

Well, that's a bummer.  Is there any way around that?  Our SAML is backed by the same LDAP so they are the same user.  We can provide a unique ID to correlate SAML with LDAP users.

 

Mike

 

On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <[hidden email]> wrote:

yes, it would result in two different shadow accounts, differentiated by the value of the user's origin field

 

 

 

On Wed, May 13, 2015 at 2:08 PM, aaron_huber <[hidden email]> wrote:

Would the same user logging in via SAML and LDAP result in two different UAA
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?

Aaron



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-UAA-SAML-and-LDAP-questions-tp62p65.html
Sent from the CF Dev mailing list archive at Nabble.com.

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 

 

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
Reply | Threaded
Open this post in threaded view
|

Re: [cf-dev] UAA, SAML, and LDAP questions

Sree Tummidi
Hi Aaron,
ECP Support is a roadmap item at this time and doesn't have a set timeline. Apart from adding ECP SAML SP support on the UAA side, the SAML IDP needs to implement and support this profile as well. 


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry


On Wed, May 13, 2015 at 5:03 PM, Huber, Aaron M <[hidden email]> wrote:

In our case we use email address as the username via LDAP as well (UPN actually, but same thing) so it would be the same.  Is there a timeline for the ECP profile support?

 

Aaron

 

From: Filip Hanik [mailto:[hidden email]]
Sent: Wednesday, May 13, 2015 3:54 PM
To: Mike Youngstrom
Cc: Sree Tummidi; Huber, Aaron M; CF Developers Mailing List


Subject: Re: [cf-dev] UAA, SAML, and LDAP questions

 

The problem with SAML is that we never see the username. We only receive the username in form of an email address from the SAML IDP. This would not correspond to the username you would log in to LDAP with. 

 

The use case you describe would indicate we want two different authentication sources represent the same authentication source. 

I believe the correct solution here is to implement the SAML ECP profile. At that point you'd have an option to go LDAP or SAML rather than trying to mix both.

 

Filip

 

 

On Wed, May 13, 2015 at 3:30 PM, Mike Youngstrom <[hidden email]> wrote:

Possibly,  though I think regular user authentication would still be a concern for our users since security forces a rather short TTL for our access tokens.  I'll have to take a look and try a few things.  We may decide to just use LDAP and forget about the SSO integration for now.

 

Mike

 

On Wed, May 13, 2015 at 3:03 PM, Sree Tummidi <[hidden email]> wrote:

Hi Aaron,

You could potentially use the access token (similar to a personal access token used for GitHub API ) to achieve the CLI automation. The access token can either be retrieved via an authentication to the CLI itself or via UAAC.

Regular users would still continue to use the -sso option. 

 


Thanks,

Sree Tummidi

Sr. Product Manager

Identity - Pivotal Cloud Foundry

 

 

On Wed, May 13, 2015 at 1:56 PM, Huber, Aaron M <[hidden email]> wrote:

That’s the main concern we have as well – we currently need LDAP for the CLI since SAML doesn’t work in that case, but we’d like SAML for web-based interactions (SSO in a portal, etc.).  But at present it seems like that’s not possible without the user having to deal with effectively two separate accounts.

 

Aaron

 

From: Mike Youngstrom [mailto:[hidden email]]
Sent: Wednesday, May 13, 2015 1:34 PM
To: Filip Hanik
Cc: Huber, Aaron M; CF Developers Mailing List
Subject: Re: [cf-dev] UAA, SAML, and LDAP questions

 

Well, that's a bummer.  Is there any way around that?  Our SAML is backed by the same LDAP so they are the same user.  We can provide a unique ID to correlate SAML with LDAP users.

 

Mike

 

On Wed, May 13, 2015 at 2:28 PM, Filip Hanik <[hidden email]> wrote:

yes, it would result in two different shadow accounts, differentiated by the value of the user's origin field

 

 

 

On Wed, May 13, 2015 at 2:08 PM, aaron_huber <[hidden email]> wrote:

Would the same user logging in via SAML and LDAP result in two different UAA
user objects with different sources, so that the user would have two
different sets of orgs/spaces/apps?

Aaron



--
View this message in context: http://cf-dev.70369.x6.nabble.com/cf-dev-UAA-SAML-and-LDAP-questions-tp62p65.html
Sent from the CF Dev mailing list archive at Nabble.com.

_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 


_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

 

 

 



_______________________________________________
cf-dev mailing list
[hidden email]
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev