SlideShare a Scribd company logo
1 of 18
Download to read offline
CloudStack
Authentication Methods
- Harikrishna
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
About me
– Harikrishna Patnala from Hyderabad, India
– Software Development Engineer at ShapeBlue
– Apache CloudStack committer and PMC member
– Born and brought up in CloudStack
– Previously worked at Accelerite and Citrix
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
Existing
Authentication
Methods
Ø Local passwords
Ø LDAP
Ø SSO / SAML2
Ø OAUTH2
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
Existing
Authentication
Methods
Ø Local passwords (+ 2FA)
Ø LDAP (+ 2FA)
Ø SSO / SAML2 (+ 2FA)
Ø OAUTH2 (+ 2FA)
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
LocalAuthentication
– User’s password stored in DB
– Encrypted
– Can be hack-replaced with another user’s password (reset to a known value)
– Comes as default
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
LocalAuthentication
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
LDAPAuthentication
– Global LDAP config
– Per-domain LDAP config
– 3 different ways of configuration
– Manual import
– Auto import
– Auto sync
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
SAML/SSOAuthentication
– Requires enabling of the SAML 2.0 service provider plugin in CloudStack
– Requires that admin enables each user for the SAML SSO login
– SAML authentication plugin finds user accounts whose username match the
username attribute value returned by the SAML authentication response
– Tested with Shibboleth 2.4, SSOCircle, Microsoft ADFS, OneLogin, Feide OpenIDP,
PingIdentity
– Takes some effort to configure
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
SAML/SSOAuthentication
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
OAuth2Authentication
– Require enabling the OAuth2 plugin in CloudStack
– Currently supports Google and GitHub
– OAuth2 plugin finds user accounts whose email match the email attribute value
returned by the OAuth2 service provider
– Available from CloudStack 4.19.0.0
– Pretty easy to configure
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
OAuth2Authentication
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
OAuth2 configuration
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
– Disabled by default
– Once enabled, new "OAuth configuration" available under the
"Configuration" menu
– Needs configuration on the provider's side (Google or GitHub)
– Provider generates ID, secret – and this is added to CloudStack, under
“Oauth configuration” menu
OAuth2 configuration
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
– Needs a user with matching email created previously inside ACS
– User can still use local authentication
(with password)
– Redirect URL in the form of “http://mycloud.com:8080/?verifyOauth”
2FA
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
Why 2FA ?
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
Ø Additional layer of security
Ø Prevents man-in-the-middle attack
Ø
Ø Prevents attacker access if they have your password
Ø Prevents hijacking an account
2FA configuration
– Introduced in ACS 4.18.0.0
– Disabled by default, needs to be enabled
– Optional (i.e. not mandatory), by default
– Can be set to mandatory, optionally
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
2FA configuration
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
– TOTP or static pin
– TOTP: Google/other Authenticator
– Static PIN – not a real 2FA !
– (stored in ACS database)
– Can be disabled/enabled per domain
– “Issuer” (visible inside theTOTP app) can
be configured per domain
Q &A
#CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad

More Related Content

Similar to CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue

Similar to CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue (20)

CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 
CredHub and Secure Credential Management
CredHub and Secure Credential ManagementCredHub and Secure Credential Management
CredHub and Secure Credential Management
 
Raspberry pi and Google Cloud
Raspberry pi and Google CloudRaspberry pi and Google Cloud
Raspberry pi and Google Cloud
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloakDevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
 
Into the Fluffs: Security Comliance and Audit in the Cloud
Into the Fluffs: Security Comliance and Audit in the CloudInto the Fluffs: Security Comliance and Audit in the Cloud
Into the Fluffs: Security Comliance and Audit in the Cloud
 
EWUG - Something about the Cloud - Unit IT - January 14, 2020
EWUG - Something about the Cloud - Unit IT - January 14, 2020EWUG - Something about the Cloud - Unit IT - January 14, 2020
EWUG - Something about the Cloud - Unit IT - January 14, 2020
 
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughAzure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy Walkthrough
 
Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)Programming Azure Active Directory (DevLink 2014)
Programming Azure Active Directory (DevLink 2014)
 
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure ADBlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
BlueHat Seattle 2019 || I'm in your cloud: A year of hacking Azure AD
 
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-OnEWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
EWUG - Azure AD Pass-through Authentication and Seamless Single Sign-On
 
Securing your Azure Identity Infrastructure
Securing your Azure Identity InfrastructureSecuring your Azure Identity Infrastructure
Securing your Azure Identity Infrastructure
 
SecureAuth Solution Enhancements in 2017
SecureAuth Solution Enhancements in 2017SecureAuth Solution Enhancements in 2017
SecureAuth Solution Enhancements in 2017
 
The Glass Class - Tutorial 2 - Mirror API
The Glass Class - Tutorial 2 - Mirror APIThe Glass Class - Tutorial 2 - Mirror API
The Glass Class - Tutorial 2 - Mirror API
 
Microsoft Azure News - April 2024 .
Microsoft Azure News - April 2024      .Microsoft Azure News - April 2024      .
Microsoft Azure News - April 2024 .
 
Microsoft Azure News - June 2020
Microsoft Azure News - June 2020Microsoft Azure News - June 2020
Microsoft Azure News - June 2020
 
Integrating LINE Login with Firebase
Integrating LINE Login with Firebase Integrating LINE Login with Firebase
Integrating LINE Login with Firebase
 
Azure - Identity as a service
Azure - Identity as a serviceAzure - Identity as a service
Azure - Identity as a service
 
Spring Security 5
Spring Security 5Spring Security 5
Spring Security 5
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

More from ShapeBlue

More from ShapeBlue (20)

CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlueCloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
CloudStack Tooling Ecosystem – Kiran Chavala, ShapeBlue
 
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
Elevating Cloud Infrastructure with Object Storage, DRS, VM Scheduling, and D...
 
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlueVM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
VM Migration from VMware to CloudStack and KVM – Suresh Anaparti, ShapeBlue
 
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHubHow We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
How We Grew Up with CloudStack and its Journey – Dilip Singh, DataHub
 
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
What’s New in CloudStack 4.19, Abhishek Kumar, Release Manager Apache CloudSt...
 
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
CloudStack 101: The Best Way to Build Your Private Cloud – Rohit Yadav, VP Ap...
 
How We Use CloudStack to Provide Managed Hosting - Swen Brüseke - proIO
How We Use CloudStack to Provide Managed Hosting - Swen Brüseke - proIOHow We Use CloudStack to Provide Managed Hosting - Swen Brüseke - proIO
How We Use CloudStack to Provide Managed Hosting - Swen Brüseke - proIO
 
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
Enabling DPU Hardware Accelerators in XCP-ng Cloud Platform Environment - And...
 
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
 
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
 
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
 
Use Existing Assets to Build a Powerful In-house Cloud Solution - Magali Perv...
Use Existing Assets to Build a Powerful In-house Cloud Solution - Magali Perv...Use Existing Assets to Build a Powerful In-house Cloud Solution - Magali Perv...
Use Existing Assets to Build a Powerful In-house Cloud Solution - Magali Perv...
 
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
 
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
DRaaS using Snapshot copy and destination selection (DRaaS) - Alexandre Matti...
 
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
 
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
 
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
 
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
 
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
 
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
 

Recently uploaded

“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 

CloudStack Authentication Methods – Harikrishna Patnala, ShapeBlue

  • 1. CloudStack Authentication Methods - Harikrishna #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 2. About me – Harikrishna Patnala from Hyderabad, India – Software Development Engineer at ShapeBlue – Apache CloudStack committer and PMC member – Born and brought up in CloudStack – Previously worked at Accelerite and Citrix #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 3. Existing Authentication Methods Ø Local passwords Ø LDAP Ø SSO / SAML2 Ø OAUTH2 #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 4. Existing Authentication Methods Ø Local passwords (+ 2FA) Ø LDAP (+ 2FA) Ø SSO / SAML2 (+ 2FA) Ø OAUTH2 (+ 2FA) #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 5. LocalAuthentication – User’s password stored in DB – Encrypted – Can be hack-replaced with another user’s password (reset to a known value) – Comes as default #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 6. LocalAuthentication #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 7. LDAPAuthentication – Global LDAP config – Per-domain LDAP config – 3 different ways of configuration – Manual import – Auto import – Auto sync #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 8. SAML/SSOAuthentication – Requires enabling of the SAML 2.0 service provider plugin in CloudStack – Requires that admin enables each user for the SAML SSO login – SAML authentication plugin finds user accounts whose username match the username attribute value returned by the SAML authentication response – Tested with Shibboleth 2.4, SSOCircle, Microsoft ADFS, OneLogin, Feide OpenIDP, PingIdentity – Takes some effort to configure #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 9. SAML/SSOAuthentication #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 10. OAuth2Authentication – Require enabling the OAuth2 plugin in CloudStack – Currently supports Google and GitHub – OAuth2 plugin finds user accounts whose email match the email attribute value returned by the OAuth2 service provider – Available from CloudStack 4.19.0.0 – Pretty easy to configure #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 11. OAuth2Authentication #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 12. OAuth2 configuration #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad – Disabled by default – Once enabled, new "OAuth configuration" available under the "Configuration" menu – Needs configuration on the provider's side (Google or GitHub) – Provider generates ID, secret – and this is added to CloudStack, under “Oauth configuration” menu
  • 13. OAuth2 configuration #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad – Needs a user with matching email created previously inside ACS – User can still use local authentication (with password) – Redirect URL in the form of “http://mycloud.com:8080/?verifyOauth”
  • 14. 2FA #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 15. Why 2FA ? #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad Ø Additional layer of security Ø Prevents man-in-the-middle attack Ø Ø Prevents attacker access if they have your password Ø Prevents hijacking an account
  • 16. 2FA configuration – Introduced in ACS 4.18.0.0 – Disabled by default, needs to be enabled – Optional (i.e. not mandatory), by default – Can be set to mandatory, optionally #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad
  • 17. 2FA configuration #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad – TOTP or static pin – TOTP: Google/other Authenticator – Static PIN – not a real 2FA ! – (stored in ACS database) – Can be disabled/enabled per domain – “Issuer” (visible inside theTOTP app) can be configured per domain
  • 18. Q &A #CSIUG2024 / CloudStack India User Group Meetup / Feb 23rd, 2024 / Hyderabad