CloudStack provides versatile authentication methods to ensure secure access and identity management. This talk explores key authentication mechanisms within CloudStack, including LDAP, SAML, OAuth2, API keys, etc. LDAP integration enables centralized user authentication, while SAML facilitates single sign-on (SSO) across various services. OAuth2 ensures secure authorization for third-party applications, and API keys offer programmatic access to resources. Additionally, CloudStack supports Two-Factor Authentication for an extra layer of security, enhancing user verification through multiple verification steps. ----------------------------------------- The CloudStack India User Group 2024 took place in Hyderabad on 23rd February. The conference, arranged by a group of volunteers from the Apache CloudStack Community, saw multiple sessions held about the cloud orchestration platform and its latest advancements.

1. CloudStack
Authentication Methods
- Harikrishna
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

2. About me
– Harikrishna Patnala from Hyderabad, India
– Software Development Engineer at ShapeBlue
– Apache CloudStack committer and PMC member
– Born and brought up in CloudStack
– Previously worked at Accelerite and Citrix
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

3. Existing
Authentication
Methods
Ø Local passwords
Ø LDAP
Ø SSO / SAML2
Ø OAUTH2
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

4. Existing
Authentication
Methods
Ø Local passwords (+ 2FA)
Ø LDAP (+ 2FA)
Ø SSO / SAML2 (+ 2FA)
Ø OAUTH2 (+ 2FA)
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

5. LocalAuthentication
– User’s password stored in DB
– Encrypted
– Can be hack-replaced with another user’s password (reset to a known value)
– Comes as default
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

6. LocalAuthentication
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

7. LDAPAuthentication
– Global LDAP config
– Per-domain LDAP config
– 3 different ways of configuration
– Manual import
– Auto import
– Auto sync
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

8. SAML/SSOAuthentication
– Requires enabling of the SAML 2.0 service provider plugin in CloudStack
– Requires that admin enables each user for the SAML SSO login
– SAML authentication plugin finds user accounts whose username match the
username attribute value returned by the SAML authentication response
– Tested with Shibboleth 2.4, SSOCircle, Microsoft ADFS, OneLogin, Feide OpenIDP,
PingIdentity
– Takes some effort to configure
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

9. SAML/SSOAuthentication
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

10. OAuth2Authentication
– Require enabling the OAuth2 plugin in CloudStack
– Currently supports Google and GitHub
– OAuth2 plugin finds user accounts whose email match the email attribute value
returned by the OAuth2 service provider
– Available from CloudStack 4.19.0.0
– Pretty easy to configure
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

11. OAuth2Authentication
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

12. OAuth2 configuration
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
– Disabled by default
– Once enabled, new "OAuth configuration" available under the
"Configuration" menu
– Needs configuration on the provider's side (Google or GitHub)
– Provider generates ID, secret – and this is added to CloudStack, under
“Oauth configuration” menu

13. OAuth2 configuration
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
– Needs a user with matching email created previously inside ACS
– User can still use local authentication
(with password)
– Redirect URL in the form of “http://mycloud.com:8080/?verifyOauth”

14. 2FA
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

15. Why 2FA ?
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
Ø Additional layer of security
Ø Prevents man-in-the-middle attack
Ø
Ø Prevents attacker access if they have your password
Ø Prevents hijacking an account

16. 2FA configuration
– Introduced in ACS 4.18.0.0
– Disabled by default, needs to be enabled
– Optional (i.e. not mandatory), by default
– Can be set to mandatory, optionally
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

17. 2FA configuration
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
– TOTP or static pin
– TOTP: Google/other Authenticator
– Static PIN – not a real 2FA !
– (stored in ACS database)
– Can be disabled/enabled per domain
– “Issuer” (visible inside theTOTP app) can
be configured per domain

18. Q &A
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad