|
|
|---|
| 16 |
<para> |
16 |
<para> |
| 17 |
UCS provides <foreignphrase>Single Sign-On</foreignphrase> functionality with a SAML 2.0 compatible identity provider based on <package>simplesamlphp</package>. |
17 |
UCS provides <foreignphrase>Single Sign-On</foreignphrase> functionality with a SAML 2.0 compatible identity provider based on <package>simplesamlphp</package>. |
| 18 |
The identity provider is by default installed on the DC Master and all DC Backup servers. |
18 |
The identity provider is by default installed on the DC Master and all DC Backup servers. |
| 19 |
A DNS Record for all Systems providing <foreignphrase>Single Sign-On</foreignphrase> services is registered for failover, usually <uri>ucs-sso.domainname</uri>. |
19 |
A DNS Record for all systems providing <foreignphrase>Single Sign-On</foreignphrase> services is registered for failover, usually <uri>ucs-sso.domainname</uri>. |
| 20 |
Clients are required to be able to resolve the <foreignphrase>Single Sign-On</foreignphrase> DNS name. |
20 |
Clients are required to be able to resolve the <foreignphrase>Single Sign-On</foreignphrase> DNS name. |
| 21 |
</para> |
21 |
</para> |
| 22 |
|
22 |
|
|
|
|---|
| 26 |
New service providers can be registered by using the <foreignphrase>UDM</foreignphrase> module <option>saml/serviceprovider</option>. |
26 |
New service providers can be registered by using the <foreignphrase>UDM</foreignphrase> module <option>saml/serviceprovider</option>. |
| 27 |
To create a new service provider entry in a <foreignphrase>joinscript</foreignphrase>, see the following example: |
27 |
To create a new service provider entry in a <foreignphrase>joinscript</foreignphrase>, see the following example: |
| 28 |
<screen> |
28 |
<screen> |
| 29 |
eval $(ucr shell) |
29 |
eval "$(ucr shell)" |
| 30 |
udm saml/serviceprovider create "$@" \ |
30 |
udm saml/serviceprovider create "$@" \ |
| 31 |
--ignore_exists \ |
31 |
--ignore_exists \ |
| 32 |
--position "cn=saml-serviceprovider,cn=univention,$ldap_base" \ |
32 |
--position "cn=saml-serviceprovider,cn=univention,$ldap_base" \ |
|
|
|---|
| 49 |
The service provider usually requires at least a public certificate or XML metadata about the identity provider. |
49 |
The service provider usually requires at least a public certificate or XML metadata about the identity provider. |
| 50 |
The certificate can e.g. be downloaded with the following call: |
50 |
The certificate can e.g. be downloaded with the following call: |
| 51 |
<screen> |
51 |
<screen> |
| 52 |
eval $(ucr shell) |
52 |
eval "$(ucr shell)" |
| 53 |
wget --ca-certificate /etc/univention/ssl/ucsCA/CAcert.pem \ |
53 |
wget --ca-certificate /etc/univention/ssl/ucsCA/CAcert.pem \ |
| 54 |
https://"${ucs_server_sso_fqdn:-ucs-sso.$domainname}"/simplesamlphp/saml2/idp/certificate \ |
54 |
https://"${ucs_server_sso_fqdn:-ucs-sso.$domainname}"/simplesamlphp/saml2/idp/certificate \ |
| 55 |
-O /etc/idp.cert |
55 |
-O /etc/idp.cert |
|
|
|---|
| 70 |
<para> |
70 |
<para> |
| 71 |
To provide users with a convenient link to an identity provider initiated login, the following ucr command may be used |
71 |
To provide users with a convenient link to an identity provider initiated login, the following ucr command may be used |
| 72 |
<screen> |
72 |
<screen> |
|
|
73 |
fqdn="ucs-sso.domainname" |
| 74 |
myspi="MyServiceProviderIdentifier" |
| 73 |
ucr set ucs/web/overview/entries/service/SP/description="External Service Login" \ |
75 |
ucr set ucs/web/overview/entries/service/SP/description="External Service Login" \ |
| 74 |
ucs/web/overview/entries/service/SP/label="External Service SSO" \ |
76 |
ucs/web/overview/entries/service/SP/label="External Service SSO" \ |
| 75 |
ucs/web/overview/entries/service/SP/link="https://ucs-sso.domainname/simplesamlphp/saml2/idp/SSOService.php?spentityid=MyServiceProviderIdentifier" \ |
77 |
ucs/web/overview/entries/service/SP/link="https://$fqdn/simplesamlphp/saml2/idp/SSOService.php?spentityid=$myspi" \ |
| 76 |
ucs/web/overview/entries/service/SP/description/de="Externer Dienst Login" \ |
78 |
ucs/web/overview/entries/service/SP/description/de="Externer Dienst Login" \ |
| 77 |
ucs/web/overview/entries/service/SP/label/de="Externer Dienst SSO" \ |
79 |
ucs/web/overview/entries/service/SP/label/de="Externer Dienst SSO" \ |
| 78 |
ucs/web/overview/entries/service/SP/priority=50 |
80 |
ucs/web/overview/entries/service/SP/priority=50 |