Univention Bugzilla – Bug 24422
Single-Sign-On for UMC
Last modified: 2013-11-19 06:42:24 CET
Wir sollten prüfen, welche SSO Mechanismen es gibt und welche UMC unterstützen sollte. In UCS 2.4 haben wir etwas eigenes implementiert: http://wiki.univention.de/index.php?title=Single-Sign-On_in_UDM_und_UMC
*** Bug 24057 has been marked as a duplicate of this bug. ***
*** Bug 25667 has been marked as a duplicate of this bug. ***
We should check the different mechanism: 1. our own implementation like in 2.4, see the Wiki link above 2. Kerberos 3. Persona/BrowserID Once we use a SSO implementation, we should show all domain servers in a drop down to jump between these servers.
SSO would be helpful to switch directly between different server systems in the domain → Bug 30744
We should use our own simple implementation: http://wiki.univention.de/index.php?title=Single-Sign-On_in_UDM_und_UMC
The Single Sign On mechanism shall be available globally in UMC via hostname drop down and within the UDM computer module.
1) The sequence of actions for the single sign process - The user selects another server in UMC drop down - The UMC frontend (on host A) sends a UMCP request (lib/sso/getsession) containing the FQDN of the selected target server (host B) - The UMC backend (A) connects via HTTPS to the target server (B) and performs a normal authentication via the UMCP "auth" command. - The target server (B) returns a session cookie to the UMC backend (A). - The UMC backend then calculates a login token that is simply the sha256 hash of the session cookie. - The login token is returned to the UMC frontend within the browser. - The UMC frontend opens a new window and requests the URL: https://$NEWHOST/umcp/sso?login_token=$LOGINTOKEN - The UMC webserver (B) on the target server (B) also calculates the login token for each auth request and saves the timestamp of the auth attempt. The given login token is checked by the UMC webserver (B) for validity: - The login token is a one time token and must not be used more than once. I.e. it will be invalidated after first use. - The login token is not older than a certain amount of seconds (default: 15 seconds). - If the token is valid, the UMC webserver (B) updates its internal data structures: - the IP address of the browser is saved/updated, to avoid session hijacking from other IP addresses - the login token gets invalidated - The UMC webserver (B) returns the associated session cookie (specified by the login token) to the browser and also sends a redirect to the UMC login page of the target server (B). Please note: Both systems (source and target) have to be updated to UCS 3.2-0 to be able to use the single sign on feature! 2) univention-lib (3.0.11-1) unstable; urgency=low A new python module urllib2_ssl.py has been added to univention-lib. The module contains a HTTPSHandler that is able to connect to hosts via HTTPS *AND* to verify the certificates of the HTTPS server. The python 2.x version of urllib2 is unable to check any certificates. 3) univention-management-console-module-lib (3.0.5-1) unstable; urgency=low The UMC command lib/sso/getsession has been implemented in univention-management-console-module-lib and may be tested via CLI: umc-command -s master.example.com -U Administrator -P $PASSWORD \ lib/singlesignon/getsession -o host=slave.example.com 4) univention-management-console-frontend (3.0.67-1) unstable; urgency=low The single sign on handling may be influenced by the following UCR variables: - umc/web/sso/enabled=BOOLEAN (default: yes) If disabled, a simple URL redirect is done. - umc/web/sso/allow/http=BOOLEAN (default: yes) If false, a simple URL redirect is done. - umc/web/sso/newwindow=BOOLEAN (default: yes) If true, a new browser window will be opened. If false, the redirect is performed in the current browser window. - umc/web/sso/timeout=INT (default: 15) Number of seconds a created login token remains valid. tools.js now provides a Javascript function openRemoteSession(hostname) that handles the described behaviour within the UMC frontend. The UMC webserver now logs tracebacks that previously have been dropped silently. (In reply to Sönke Schwardt-Krummrich from comment #6) > The Single Sign On mechanism shall be available globally in UMC via hostname > drop down and within the UDM computer module. The UDM computer module part has been split off into Bug #32573.
Additional notes: - language settings should be taken over to target UMC (→ the URL query string is copied to target UMC) - error messages shoud be shown if SSO fails - SSO is enabled for all users by default (UMCP command lib/*) - To be checked by QA: - target host is available - target host is unreachable (host is offline) - wrong certificate on target system (e.g. host is member of other UCS domain) - UCS version on target host is smaller/equal to UCS 3.1-1 (SSO requires UCS 3.2)
Created attachment 5435 [details] sso.sh simple test script REOPEN: the one time token does not get invalidated after the first successful authentication with it REOPEN: regular Domain Users can not use the new feature because of a missing default UMC operation set which allows lib/sso/* REOPEN: if the querystring contains ?username=foobar the SSO process does not work instead the login dialog is shown REOPEN: The errormessages aren't pretty, they show python exceptions like: Verbindung zu 'slave.ucs.school' fehlgeschlagen: <urlopen error [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed> <urlopen error [Errno 111] Verbindungsaufbau abgelehnt> <urlopen error [Errno 8] _ssl.c:490: EOF occurred in violation of protocol> <urlopen error [Errno 113] Keine Route zum Zielrechner> <urlopen error [Errno -2] Der Name oder der Dienst ist nicht bekannt>
Created attachment 5436 [details] little code cleanup
If one of the hosts is smaller than UCS 3.2 the redirection will end up in a blank page with "{"status": "404 Not Found", "message": "The path '/sso' was not found."}" instead of the normal UMC login page. → The URL should not be changed afterwards then
(In reply to Sönke Schwardt-Krummrich from comment #7) > - The UMC frontend opens a new window and requests the URL: > https://$NEWHOST/umcp/sso?login_token=$LOGINTOKEN → https://$NEWHOST/umcp/sso?loginToken=$LOGINTOKEN > 3) univention-management-console-module-lib (3.0.5-1) unstable; urgency=low > > The UMC command lib/sso/getsession has been implemented in > univention-management-console-module-lib and may be tested via CLI: > umc-command -s master.example.com -U Administrator -P $PASSWORD \ > lib/singlesignon/getsession -o host=slave.example.com → umc-command -s master.example.com -U Administrator -P $PASSWORD \ lib/sso/getsession -o host=slave.example.com Everything else is OK. Tested with mayor browsers.
univention-management-console-frontend (3.0.78-1) unstable; urgency=low univention-management-console-module-lib (3.0.7-1) unstable; urgency=low univention-lib (3.0.14-1) unstable; urgency=low (In reply to Florian Best from comment #9) > REOPEN: the one time token does not get invalidated after the first > successful authentication with it → fixed → the redirect to the login page will be performed even if the token was invalid > REOPEN: regular Domain Users can not use the new feature because of a > missing default UMC operation set which allows lib/sso/* → the join script now creates a new UMC policy "default-umc-users" and attaches it to the group "Domain Users" > REOPEN: if the querystring contains ?username=foobar the SSO process does > not work instead the login dialog is shown → The arguments "username" and "password" are now removed from query string too. > REOPEN: The errormessages aren't pretty, they show python exceptions like: > > Verbindung zu 'slave.ucs.school' fehlgeschlagen: > <urlopen error [Errno 1] _ssl.c:490: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed> > <urlopen error [Errno 111] Verbindungsaufbau abgelehnt> > <urlopen error [Errno 8] _ssl.c:490: EOF occurred in violation of protocol> > <urlopen error [Errno 113] Keine Route zum Zielrechner> > <urlopen error [Errno -2] Der Name oder der Dienst ist nicht bekannt> → Verbindung zu 'slave.ucs.school' fehlgeschlagen: Keine Route zum Zielrechner The SSL error messages are not that easy to get pretty and are rather seldom, so they are left for now in this state: Verbindung zu 'slave.ucs.school' fehlgeschlagen: _ssl.c:490: EOF occurred in violation of protocol > Created attachment 5436 [details] > little code cleanup → The attached patch has been adapted and merged. > If one of the hosts is smaller than UCS 3.2 the redirection will end > up in a blank page with "{"status": "404 Not Found", "message": "The > path '/sso' was not found."}" instead of the normal UMC login page. > → The URL should not be changed afterwards then → this problem has been split off into bug #32646
everything is fine now.
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".