Cisco Metacloud February 2017 Update (Metacloud version 4.1.6)

This 4.1.6 release of Cisco Metacloud contains an update that enables single sign-on authentication using Okta SAML.

Single Sign-on Integration

Okta SAML (Security Assertion Markup Language) provides authentication and authorization between Metacloud Identity (keystone) and your service provider. With Single Sign-on (SSO) integration, you no longer need to create individual username and password-based accounts using Metacloud Identity. This allows for easier integration across groups of users and different organizations in your environment.

Single sign-on provides key advantages, for example:

  • There is no longer a need to provision user entries in the Metacloud Identity service, since the user entries already exist in your Identity Provider’s (IdP) databases. A common identity store is useful as it can be set up properly once and used in multiple places.
  • With SSO, user credentials are provided and maintained by the IdP to allow access to different services in your environment.
  • Single sign-on is easier and faster for users and requires fewer password resets. The IdP manages user identities and passwords so Metacloud does not have to.
  • User groups can be mapped between the IdP and Keystone, administrators do not have to do any per-user group or role assignments in Metacloud Identity, it is done centrally at the IdP.
  • Administrators no longer spend time administering identities in various service providers.

Setting up Single Sign-on Authentication

To authenticate users, the group names from Metacloud must be mapped to target groups in your IdP. Create a Metacloud project for users requiring single sign-on access using the group names that exist in your IdP; then add Metacloud users and assign their roles (either admin or member).

To set up SSO using SAML, you must add an application to your company’s Okta instance and create your Identity Provider Metadata XML file. The Metacloud Support team requires the IdP metadata file to configure and deploy SAML authentication for your users.

To create the Identity Provider Metadata XML file:

  1. Log in as an administrator to your company’s Okta instance.
  2. Click Admin on the top right of the Okta Dashboard.
  3. Select Applications from the Applications drop-down menu.
  4. Click Add Application.
  5. Click Create New App and select SAML 2.0.
  6. Enter a name for your project and click Next.
  7. Enter your Availability Zone (AZ) url for single sign-on in the URL field. For example:

    https://<my public API URL>:5000/Shibboleth.sso/SAML2/POST

  8. Enter your AZ specific entityID in SP Entity ID, for example:

    https://<my API URL>:5000

  9. Select Unspecified for the Name ID format.
  10. Select Okta Username for the Application Username.
  11. Click Advanced Settings.
  12. Select Encrypted for Assertion Encryption and upload your Metacloud SAML certificate (mc-sp-cert.pem) in Encryption Certificate. The certificate is provided by Metacloud Support.
  13. Enter the following in one line in the Attribute Statements section:

    • name: urn:oid:0.9.2342.19200300.100.1.1
    • URI Reference
    • user.login
  14. Enter the following in one line in the Group Attributes section, to send all groups to Metacloud that the user is a member:
  • name: groups
  • unspecified, regex, .*
  1. Click Next.
  2. Select Okta Customer, and Internal App, and then click Finish. Your Application Details page displays.
  3. Select the Sign On tab and click View Setup Instructions.
  4. Save the XML file located in the Optional section as Identity Provider Metadata and add it to the request you created for the Metacloud Support team.

The Metacloud Support team will then configure and deploy your Metacloud instance for single sign-on authentication.

Note
See the Okta help site Using the App Integration Wizard for more detailed information.

To log in to the Metacloud Dashboard:

  1. Select okta SAML Login from the Authenticate Using drop-down menu.
    Metacloud okta login screen
  2. Click Sign In.

Bug Fixes

  • In LDAP-configured environments group settings are managed outside of Metacloud; you can no longer modify groups in Metacloud if you are using an LDAP configured environment.
  • Image formats now correctly display on the Dashboard for Ceph (AMI, ISO, and Raw) and NFS (AMI, ISO, QCOW2, Raw, VDI, VHD, and VDMK).

Supported API Versions

Service API Version
Compute v2.1
Image v2
CloudFormation v1
Volume v2
Orchestration v1
Identity v3
Networking v2
Block Storage v1

Supported OpenStack Projects and Versions

Project Version
Nova Liberty
Cinder Liberty
Keystone Liberty
Glance Liberty
Heat Liberty
Horizon Liberty
Neutron Liberty

Supported Image Types

Image Storage Location Local Storage NFS-backed Storage Ceph-backed Storage
AMI (AWS) x x x
ISO9660 x x x
QCOW2 (KVM, Xen) x x N/A
RAW x x x
VDI (VirtualBox) x x N/A
VHD (Hyper-V) x x N/A
VDMK (VMWare) x x N/A