Univention Bugzilla – Bug 31693
SAML app
Last modified: 2016-06-22 10:25:31 CEST
We should provide a SAML app (Identity provider) for the App Center. It should be possible to define what users are available for which service provider.
Please start with the following steps: - new buildsystem scope saml for ucs 3.2 - import simplesamlphp from wheezy or jessie in this new scope http://packages.debian.org/jessie/simplesamlphp - create a meta package univention-saml in dev/branches/ucs-3.2/component/saml - add a saml app to the test app center which installs univention-saml - create a wiki start page like the xrdp site http://wiki.univention.de/index.php?title=Xrdp
scope saml has been created; simplesamlphp (1.11.0-1) has been imported from sid. A patch was neccessary to set the debhelper version to 8.
The 'SAML Identity Provider' app is now available in the 3.2 test-appcenter. Documentation is available at http://wiki.univention.de/index.php?title=SAML_Identity_Provider
As discussed: * adding an additional UMC-UDM flavor will be rendered as separate UMC module * icons for the UMD-UDM flavor + 16x16 icons for the grid * access rights to SimpleSAMLphp configuration file (as the machine secret password is used) * correct update of the password after re-join
All mentioned issues are resolved. univention-saml is build and available in the 3.2 test appcenter.
The saml app is now also available in the 3.1 test appcenter. php-openid and php5-gmp had to be copied to the simplesamlphp test appcenter repository.
AFAIS, the 16x16 icon for the UMC module is not a login screen, but the wrench (which is used for the UDM icons).
Would it make sense to assign a specific priority for this new SAML flavor? Now the SAML module is shown after "Change password". I could not add a new SAML object via the LDAP directory module, it does not seem to be in the list there. Name in English with 2nd + 3rd word in lowercase: "SAML identity provider"? Suggestion for the short App description: "Identity provider based on the SAML protocol for single sign-on functionality with third party web services and applications." Suggestion for the long App description: "This app provides an identity provider for UCS based on the Secure Assertion Markup Language (SAML) protocol and the SimpleSAMLphp software framework. With help of the identity provider, a single sign-on functionality for third party web services and applications (e.g., cloud services such as Google Apps, Salesforce etc.) can be realized while the authentication is done at the identity provider itself. The user management is done via UCS where users can individually activated for particular web services." Suggestion for the description of the UDM module: "Management of service provider configurations for the single sign-on functionality of the SAML identity provider."
The following UDM properties and descriptions are not clear to me: URL of the AssertionConsumerService → with or without "http://" ? Should the syntax enforce the URL format? Maybe an example URL in the description? Format of NameID attribute → ? Name of attribute that is used as NameID → An example in the description could help, e.g., which attributes are commonly used (uid/email?). Optional Settings → Maybe "extended settings"? Two of the attributes on the first tab are also optional. Send any ldap attributes to the service provider? → Checkbox? List of ldap attributes to transmit (can be empty) → This should probably by a multivalue field. Description of this service provider Name of the organization for this service provider → I would put these on the first tab (maybe together with the identifier, all in an individual group/TitlePane) similar to other UDM objects. URL to the service provider's privacy policy → ? Value in the format field for attributes → ? could you an example in the description? Single logout URL for this service provider → IMHO it would make sense to group this URL with "URL of the AssertionConsumerService"
Created attachment 5394 [details] Login dialog icon. Would it be possible to use the attached icon. This one is taken from: svn://anonsvn.kde.org/home/kde/trunk/kdesupport/oxygen-icons/scalable/apps Thanks :) !
I was wondering whether the address http://<hostname>/saml or /sso would be better than /simplesamlphp?
(In reply to Alexander Kläser from comment #8) > I could not add a new SAML object via the LDAP directory module, it does not > seem to be in the list there. Many object types (like users, computers, ...) can not be created below the univention container (cn=univention,$ldap_base). Should this be changed, or should the SAML container be moved directly below the ldap base? (In reply to Alexander Kläser from comment #11) > I was wondering whether the address http://<hostname>/saml or /sso would be > better than /simplesamlphp? What if we someday want to provide additional identity providers (maybe for compatibility reasons)? Why hide the name of the framework we use?
(In reply to Alexander Kläser from comment #8) > Suggestion for the short App description: > "Identity provider based on the SAML protocol for single sign-on > functionality with third party web services and applications." This would violate the App Center ini file rules, as the short description must not exceed 60 characters. I keep "SimpleSAMLphp single sign-on identity provider" for now. The LongDescription has been shortened slightly respectively.
- Description texts have been improved - Icon has been changed - ldap attributes field has been changed to multivalue input todo: after the base app has been approved the wiki article has to be expanded: - the udm module should be explained - screenshots have to be udpated
Created attachment 5404 [details] UDM layout for extended settings of the service provider entry. (In reply to Erik Damrose from comment #13) > This would violate the App Center ini file rules, as the short description > must not exceed 60 characters. I keep "SimpleSAMLphp single sign-on identity > provider" for now. The LongDescription has been shortened slightly > respectively. True, that is too long, the following should be ok (other apps have a description of this size, as well): "SAML identity provider for single sign-on functionality with third party web services." (In reply to Alexander Kläser from comment #8) > ... > Suggestion for the description of the UDM module: > "Management of service provider configurations for the single sign-on > functionality of the SAML identity provider." The UDM description has not been changed if I see it correctly. The UDM layout is nice :) ! Two minor things, "Service provider identifier (*)" should IMHO be in the first row (as for other UDM objects) and "List of ldap attributes to transmit" (see screenshot) could go in a separate row (in this way it does not align correctly).
(In reply to Alexander Kläser from comment #15) > "SAML identity provider for single sign-on functionality with third party > web services." and > The UDM description has not been changed if I see it correctly. Description updated > The UDM layout is nice :) ! Two minor things, "Service provider identifier > (*)" should IMHO be in the first row (as for other UDM objects) and "List of > ldap attributes to transmit" (see screenshot) could go in a separate row (in > this way it does not align correctly). Layout adapted univention-saml 1.0.1-7.6.201308301524
I've moved the source package to branches/ucs-3.2/component/saml/univention-saml
* From the ini file: > Multiple service providers can be configured via udm. Please use "Univention Management Console (UMC)" instead of udm. * On a UCS 3.1-1errata168 the command "univention-add-app --latest -a simplesamlphp" results in a: univention-saml: Failed to install univention-saml-schema: Failed to install After activating the repo: php5-gmp : Depends: php5-common (= 5.3.3-7.178.201307181528) but 5.3.3-7.181.201308291557 is to be installed The php5-gmp package should be updated. * I think we should move the SAML settings to a separate tab like all other apps do. * Can you explain in "Notes of using", which objects must be created. I now it is part of the Wiki documentation but I'm unsure it will be found. * The Wiki documentation starts with "Basic settings" and UCR variables. I don't think this must be configured by default. I think it is better to start with the steps the admin needs to do. * The documentation should not use udm, better use UMC. I also think the CLI interface should be described in additional notes, otherwise the admin could think he must use the CLI interface. * Maybe we could add an test example for https://www.testshib.org/ in the wiki documentation? It could make it easier to test the installation.
As discussed it would be nice if we create some example service provides (google, salesforce, testshib). These examples should be disabled by default and the admin can activate them by setting a checkbox.
The app itself is now updated and available in the test appcenter. Documentation will follow soon.
The wiki documentation has been updated as well -> http://wiki.univention.de/index.php?title=SAML_Identity_Provider
(In reply to Erik Damrose from comment #21) > The wiki documentation has been updated as well -> > http://wiki.univention.de/index.php?title=SAML_Identity_Provider * Nice. I think a short info what SAML is would be nice, for example: --------------------------------------------------------------------------------- Overview SAML Identity Provider is an app in the UCS App Center which provides the functionality of SAML. SAML is an XML-based open standard data format for exchanging authentication. It enables web-based authentication and authorization scenarios including cross-domain single sign-on (SSO). The app is based on SimpleSAMLphp which implements SAML 2.0. The app allows the configuration of an identity provider which can be used to authenticate and authorize users who wish to use external service providers. This allows domain users to use external services with their domain credentials as a Single Sign On (SSO) solution. --------------------------------------------------------------------------------- * Maybe we could rename the UDM module "SAML identity provider" to "SAML service provider"? * "Zulassen des Benutzers für folgende Service Provider" → "Benutzers für folgende Service Provider freischalten"? * Wiki: Adding service providers: Maybe you could give a short hint, that the app includes already a few example configurations. * UDM module: "Service provider activation status" is not translated. * The test on a S4 system still fails, but now I get a different error: > opensaml::SecurityPolicyException > TestShib encountered some sort of error while processing your request issued > at Tue Oct 1 00:52:40 2013. > 2013-10-01 00:52:40 DEBUG XMLTooling.CredentialCriteria [644]: keys didn't > match > 2013-10-01 00:52:40 DEBUG XMLTooling.TrustEngine.ExplicitKey [644]: unable to > validate signature, no credentials available from peer > 2013-10-01 00:52:40 DEBUG XMLTooling.TrustEngine.PKIX [644]: validating > signature using certificate from within the signature > 2013-10-01 00:52:40 DEBUG XMLTooling.TrustEngine.PKIX [644]: signature > verified with key inside signature, attempting certificate validation... > 2013-10-01 00:52:40 DEBUG XMLTooling.TrustEngine.PKIX [644]: checking that > the certificate name is acceptable > 2013-10-01 00:52:40 DEBUG XMLTooling.TrustEngine.PKIX [644]: adding to list > of trusted names (https://10.201.19.1/simplesamlphp/saml2/idp/metadata.php) > 2013-10-01 00:52:40 DEBUG XMLTooling.TrustEngine.PKIX [644]: certificate > subject: CN=master191.deadlock19.local,O=Unknown,L=Unknown,ST=Unknown,C=US > 2013-10-01 00:52:40 DEBUG XMLTooling.TrustEngine.PKIX [644]: unable to match > DN, trying TLS subjectAltName match > 2013-10-01 00:52:40 DEBUG XMLTooling.TrustEngine.PKIX [644]: unable to match > subjectAltName, trying TLS CN match > 2013-10-01 00:52:40 ERROR XMLTooling.TrustEngine.PKIX [644]: certificate name > was not acceptable > 2013-10-01 00:52:40 ERROR OpenSAML.SecurityPolicyRule.XMLSigning [644]: > unable to verify message signature with supplied trust engine Maybe it is a problem that I tried it the last days with the same domain? * The test on a S3 system was successful * The login site looks really nice. Currently it is only available in German. * UDM module: The section of the first tab is "Definieren von benötigten und häufig genutzten Einstellungen". Maybe something like this would be more common "SAML service provider Standardeinstellungen". You could also change it with the general section of the tab "Grundeinstellungen". * It is really helpful to have a second example here with google. But I think we should not describe it from the command line. Screenshots are more helpful. univention-test.mygbiz.com should be replaced with TESTDOMAIN.mygbiz.com. * The google link does not work for me: https://10.201.18.1/simplesamlphp/saml2/idp/SSOService.php?spentityid=google.com/a/univention-dev.mygbiz.com&RelayState=https://www.google.com/a/univention-dev.mygbiz.com/Dashboard I think it should be: https://10.201.18.1/simplesamlphp/saml2/idp/SSOService.php?spentityid=google.com&RelayState=https://www.google.com/a/univention-dev.mygbiz.com/Dashboard * What about the password change URL: "The change password URL must be provided but is not needed for initial testing, so any URL will suffice." Do simplesamlphp provide a password change site?
> * The test on a S4 system still fails, but now I get a different error: > > .... > Maybe it is a problem that I tried it the last days with the same domain? I think so. I could not reproduce the problem on my end. The testshib log says that a valid SAML message was received, only the certificate could not be associated correctly. > * What about the password change URL: > "The change password URL must be provided but is not needed for initial > testing, so any URL will suffice." > Do simplesamlphp provide a password change site? simplesamlphp does not provide a password change site, but the google settings require that something is entered in that textfield. Documentation has been updated, as well as the udm/umc strings and their translation. Most recent version in the App Center is univention-saml 1.0.5-2
A small error slipped into the last version, which has been fixed. univention-saml 1.0.5-3
Created attachment 5494 [details] stop_udm_cli.patch Could you apply the attached patch? If the CLI daemon is not stopped it is possible that the new udm module is unknown and the udm calls fail in the join script. The TestShip test was successful with samba 4. Everything else looks good.
(In reply to Stefan Gohmann from comment #25) > Created attachment 5494 [details] > stop_udm_cli.patch > > Could you apply the attached patch? If the CLI daemon is not stopped it is > possible that the new udm module is unknown and the udm calls fail in the > join script. > > The TestShip test was successful with samba 4. > > Everything else looks good. With 3.1 it works as well. Only the SAML login page should be adapted. Could you change the password change URL to https://[FQDN or IP address]/umc/
Patch has been applied, documentation has been updated. The app is now also available in the 3.1 test appcenter. Tests have been done with 3.1, updating to 3.2 works as well.
Jenkins tests were successful: http://jenkins.knut.univention.de:8080/view/App%20Center/job/UCS%203.1%20App%20Autotest%20MultiEnv/53/ Installation & test master amd64: OK Installation & test slave amd64: Failed: Bug #32824 Installation & test master i386: OK
(In reply to Stefan Gohmann from comment #28) > Installation & test slave amd64: Failed: Bug #32824 Installation is now restricted to master & backup → Verified.
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".