계정생성시 SAML SSO 승인 활성화인 경우, keycloak&glue 계정생성

api/src/main/java/com/cloud/user/AccountService.java

@@ -46,7 +46,7 @@ public interface AccountService {
     UserAccount createUserAccount(CreateAccountCmd accountCmd);
 
     UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType,
-                                  Long roleId, Long domainId, String networkDomain, Map<String, String> details, String accountUUID, String userUUID, User.Source source);
+                                  Long roleId, Long domainId, String networkDomain, Map<String, String> details, String accountUUID, String userUUID, User.Source source, boolean enable);
 
     /**
      * Locks a user by userId. A locked user cannot access the API, but will still have running VMs/IP addresses

api/src/main/java/org/apache/cloudstack/api/command/admin/account/CreateAccountCmd.java

@@ -99,6 +99,9 @@ public class CreateAccountCmd extends BaseCmd {
     @Parameter(name = ApiConstants.USER_ID, type = CommandType.STRING, description = "User UUID, required for adding account from external provisioning system")
     private String userUUID;
 
+    @Parameter(name = ApiConstants.ENABLE, type = CommandType.BOOLEAN, description = "If true, authorizes user to be able to use SAML for Single Sign. If False, disable user to user SAML SSO.")
+    private Boolean enable;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -165,6 +168,10 @@ public String getUserUUID() {
         return userUUID;
     }
 
+    public Boolean getEnable() {
+        return enable;
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////

framework/config/src/main/java/org/apache/cloudstack/saml/SAML2Config.java

@@ -0,0 +1,30 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.saml;
+
+
+import org.apache.cloudstack.framework.config.ConfigKey;
+
+public class SAML2Config {
+    public static final ConfigKey<String> SAMLIdentityProviderPortalUrl =
+        new ConfigKey<>("Advanced", String.class, "saml2.idp.portal.url",
+            "http://localhost:7070", "SAML2 IDP Portal URL", true);
+
+    public static final ConfigKey<String> SAMLIdentityProviderPassword =
+        new ConfigKey<>("Secure", String.class, "saml2.idp.admin.password",
+            "admin", "SAML2 IDP Admin password", true);
+}

plugins/integrations/kubernetes-service/src/main/java/com/cloud/kubernetes/cluster/KubernetesClusterManagerImpl.java

@@ -1885,7 +1885,7 @@ protected Account createProjectKubernetesAccount(final Project project, final St
             UserAccount userAccount = accountService.createUserAccount(accountName,
                     UUID.randomUUID().toString(), PROJECT_KUBERNETES_ACCOUNT_FIRST_NAME,
                     PROJECT_KUBERNETES_ACCOUNT_LAST_NAME, null, null, accountName, Account.Type.NORMAL, role.getId(),
-                    project.getDomainId(), null, null, null, null, User.Source.NATIVE);
+                    project.getDomainId(), null, null, null, null, User.Source.NATIVE, true);
             projectManager.assignAccountToProject(project, userAccount.getAccountId(), ProjectAccount.Role.Regular,
                     userAccount.getId(), null);
             Account account = accountService.getAccount(userAccount.getAccountId());

plugins/network-elements/juniper-contrail/src/test/java/org/apache/cloudstack/network/contrail/management/MockAccountManager.java

@@ -147,12 +147,12 @@ public UserAccount createUserAccount(CreateAccountCmd cmd) {
                 cmd.getLastName(), cmd.getEmail(), cmd.getTimeZone(), cmd.getAccountName(),
                 cmd.getAccountType(), cmd.getRoleId(), cmd.getDomainId(),
                 cmd.getNetworkDomain(), cmd.getDetails(), cmd.getAccountUUID(),
-                cmd.getUserUUID(), User.Source.UNKNOWN);
+                cmd.getUserUUID(), User.Source.UNKNOWN, cmd.getEnable());
     }
 
     @Override
     public UserAccount createUserAccount(String userName, String password, String firstName, String lastName, String email, String timezone, String accountName, Account.Type accountType, Long roleId,
-                                         Long domainId, String networkDomain, Map<String, String> details, String accountUUID, String userUUID, User.Source source) {
+                                         Long domainId, String networkDomain, Map<String, String> details, String accountUUID, String userUUID, User.Source source, boolean enable) {
         // TODO Auto-generated method stub
         return null;
     }

plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapCreateAccountCmd.java

@@ -95,7 +95,7 @@ UserAccount createCloudstackUserAccount(final LdapUser user, String accountName,
         Account account = _accountService.getActiveAccountByName(accountName, domainId);
         if (account == null) {
             return _accountService.createUserAccount(username, generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, getAccountType(), getRoleId(),
-                    domainId, networkDomain, details, accountUUID, userUUID, User.Source.LDAP);
+                    domainId, networkDomain, details, accountUUID, userUUID, User.Source.LDAP, false);
         } else {
             User newUser = _accountService.createUser(username, generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, domainId,
                     userUUID, User.Source.LDAP);

plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LdapImportUsersCmd.java

@@ -108,7 +108,7 @@ private void createCloudstackUserAccount(LdapUser user, String accountName, Doma
         if (account == null) {
             logger.debug("No account exists with name: " + accountName + " creating the account and an user with name: " + user.getUsername() + " in the account");
             _accountService.createUserAccount(user.getUsername(), generatePassword(), user.getFirstname(), user.getLastname(), user.getEmail(), timezone, accountName, getAccountType(), getRoleId(),
-                    domain.getId(), domain.getNetworkDomain(), details, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP);
+                    domain.getId(), domain.getNetworkDomain(), details, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, false);
         } else {
 //            check if the user exists. if yes, call update
             UserAccount csuser = _accountService.getActiveUserAccount(user.getUsername(), domain.getId());

plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmd.java

@@ -89,7 +89,7 @@ public void execute() throws ServerApiException {
                         try {
                             UserAccount userAccount = _accountService
                                     .createUserAccount(admin, "", ldapUser.getFirstname(), ldapUser.getLastname(), ldapUser.getEmail(), null, admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(),
-                                            UUID.randomUUID().toString(), User.Source.LDAP);
+                                            UUID.randomUUID().toString(), User.Source.LDAP, false);
                             response.setAdminId(String.valueOf(userAccount.getAccountId()));
                             logger.info("created an account with name {} in the given domain {} with id {}", admin, _domainService.getDomain(domainId), domainId);
                         } catch (Exception e) {

plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmd.java

@@ -105,7 +105,7 @@ public void execute() throws ServerApiException {
                     if (account == null) {
                         try {
                             UserAccount userAccount = _accountService.createUserAccount(admin, "", ldapUser.getFirstname(), ldapUser.getLastname(), ldapUser.getEmail(), null,
-                                    admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP);
+                                    admin, Account.Type.DOMAIN_ADMIN, RoleType.DomainAdmin.getId(), domainId, null, null, UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, false);
                             response.setAdminId(String.valueOf(userAccount.getAccountId()));
                             logger.info("created an account with name {} in the given domain {} with id {}", admin, _domainService.getDomain(domainId), domainId);
                         } catch (Exception e) {

plugins/user-authenticators/ldap/src/main/java/org/apache/cloudstack/ldap/LdapAuthenticator.java

@@ -310,7 +310,7 @@ private void createCloudStackUserAccount(LdapUser user, long domainId, Account.T
         String username = user.getUsername();
         _accountManager.createUserAccount(username, "", user.getFirstname(), user.getLastname(), user.getEmail(), null, username,
                                           accountType, RoleType.getByAccountType(accountType).getId(), domainId, null, null,
-                                          UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP);
+                                          UUID.randomUUID().toString(), UUID.randomUUID().toString(), User.Source.LDAP, false);
     }
 
     private void disableUserInCloudStack(UserAccount user) {

plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkAccountToLdapCmdTest.java

@@ -88,7 +88,7 @@ public void execute() throws Exception {
         userAccount.setAccountId(24);
         when(accountService.createUserAccount(eq(username), eq(""), eq("Admin"), eq("Admin"), eq("admin@ccp.citrix.com"), isNull(String.class),
                 eq(username), eq(Account.Type.DOMAIN_ADMIN), eq(RoleType.DomainAdmin.getId()), eq(domainId), isNull(String.class),
-                (java.util.Map<String,String>)isNull(), anyString(), anyString(), eq(User.Source.LDAP))).thenReturn(userAccount);
+                (java.util.Map<String,String>)isNull(), anyString(), anyString(), eq(User.Source.LDAP), false)).thenReturn(userAccount);
 
         linkAccountToLdapCmd.execute();
         LinkAccountToLdapResponse result = (LinkAccountToLdapResponse)linkAccountToLdapCmd.getResponseObject();

plugins/user-authenticators/ldap/src/test/java/org/apache/cloudstack/api/command/LinkDomainToLdapCmdTest.java

@@ -86,7 +86,7 @@ public void execute() throws Exception {
         userAccount.setAccountId(24);
         when(accountService.createUserAccount(eq(username), eq(""), eq("Admin"), eq("Admin"), eq("admin@ccp.citrix.com"), isNull(String.class),
                 eq(username), eq(Account.Type.DOMAIN_ADMIN), eq(RoleType.DomainAdmin.getId()), eq(domainId), isNull(String.class),
-                (java.util.Map<String,String>)isNull(), anyString(), anyString(), eq(User.Source.LDAP))).thenReturn(userAccount);
+                (java.util.Map<String,String>)isNull(), anyString(), anyString(), eq(User.Source.LDAP), false)).thenReturn(userAccount);
 
 
         linkDomainToLdapCmd.execute();

plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManager.java

@@ -70,7 +70,7 @@ public interface SAML2AuthManager extends PluggableAPIAuthenticator, PluggableSe
     ConfigKey<Integer> SAMLTimeout = new ConfigKey<Integer>("Advanced", Integer.class, "saml2.timeout", "1800",
             "SAML2 IDP Metadata refresh interval in seconds, minimum value is set to 300", true);
 
-    ConfigKey<Boolean> SAMLCheckSignature = new ConfigKey<Boolean>("Advanced", Boolean.class, "saml2.check.signature", "true",
+    ConfigKey<Boolean> SAMLCheckSignature = new ConfigKey<Boolean>("Advanced", Boolean.class, "saml2.check.signature", "false",
             "When enabled (default and recommended), SAML2 signature checks are enforced and lack of signature in the SAML SSO response will cause login exception. Disabling this is not advisable but provided for backward compatibility for users who are able to accept the risks.", false);
 
     ConfigKey<Boolean> SAMLForceAuthn = new ConfigKey<Boolean>("Advanced", Boolean.class, "saml2.force.authn", "false",

plugins/user-authenticators/saml2/src/main/java/org/apache/cloudstack/saml/SAML2AuthManagerImpl.java

@@ -541,6 +541,7 @@ public ConfigKey<?>[] getConfigKeys() {
                 SAMLCloudStackRedirectionUrl, SAMLUserAttributeName,
                 SAMLIdentityProviderMetadataURL, SAMLDefaultIdentityProviderId,
                 SAMLSignatureAlgorithm, SAMLAppendDomainSuffix, SAMLTimeout, SAMLCheckSignature,
-                SAMLForceAuthn, SAMLUserSessionKeyPathAttribute, SAMLFailedLoginRedirectUrl, SAMLRequirePasswordLogin};
+                SAMLForceAuthn, SAMLUserSessionKeyPathAttribute, SAMLFailedLoginRedirectUrl, SAMLRequirePasswordLogin,
+                SAML2Config.SAMLIdentityProviderPortalUrl, SAML2Config.SAMLIdentityProviderPassword};
     }
 }