Univention Bugzilla – Bug 33912
UCR variable for identity provider id
Last modified: 2015-11-17 12:12:46 CET
The IDP entity ID should be configurable by UCR. The default is to create the eID dynamically, which results in the eID https://[ip-address]/simplesamlphp/saml2/idp/metadata.php If two identity providers have the same ip-address (e.g. two separate private networks), they will have the same eID. This can lead to problems when both IDPs try to register at the same service provider. A default eID value could contain the IDP's FQDN.
This could also lead to collisions. Especially because UCS often runs behind firewalls and administrators are free to select arbitrary host and DNS domain names. Would it be possible to create a unique URL somewhere below https://[ip-address]/simplesamlphp/?
Internally it is just an ID string which is used to identify the provider at the service provider. The documentation says it _should_ have the form of an FQDN. You can put arbitrary strings in the eID field. The default is convenient, because you can directly access the URL and see the identity providers metadata. simplesamlphp can convert the xml-metadata to a valid config file which you can copy&paste.
I needed this as well for the UCS 4.1 SAML integration to allow IP-address based redirection. Otherwise the dynamic configuration would not match the configured IDP's in the UMC-SP as there is only the FQDN stored. (To reset it to previous behavior: ucr set saml/idp/entityID=__DYNAMIC:1__ which will break UMC-SSO via IP-adress ofc.)
OK: Default entity ID based on FQDN, registered in /etc/simplesamlphp/metadata/saml20-idp-hosted.php OK: Changelog
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".