Bug 33912 - UCR variable for identity provider id
UCR variable for identity provider id
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Florian Best
Erik Damrose
: interim-1
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-13 11:04 CET by Erik Damrose
Modified: 2015-11-17 12:12 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2014-01-13 11:04:14 CET
The IDP entity ID should be configurable by UCR. The default is to create the eID dynamically, which results in the eID https://[ip-address]/simplesamlphp/saml2/idp/metadata.php

If two identity providers have the same ip-address (e.g. two separate private networks), they will have the same eID. This can lead to problems when both IDPs try to register at the same service provider.

A default eID value could contain the IDP's FQDN.
Comment 1 Jan Christoph Ebersbach univentionstaff 2014-01-13 14:03:12 CET
This could also lead to collisions.  Especially because UCS often runs behind firewalls and administrators are free to select arbitrary host and DNS domain names.

Would it be possible to create a unique URL somewhere below https://[ip-address]/simplesamlphp/?
Comment 2 Erik Damrose univentionstaff 2014-01-13 14:20:12 CET
Internally it is just an ID string which is used to identify the provider at the service provider. The documentation says it _should_ have the form of an FQDN. You can put arbitrary strings in the eID field.

The default is convenient, because you can directly access the URL and see the identity providers metadata. simplesamlphp can convert the xml-metadata to a valid config file which you can copy&paste.
Comment 3 Florian Best univentionstaff 2015-08-28 14:45:19 CEST
I needed this as well for the UCS 4.1 SAML integration to allow IP-address based redirection. Otherwise the dynamic configuration would not match the configured IDP's in the UMC-SP as there is only the FQDN stored.

(To reset it to previous behavior: ucr set saml/idp/entityID=__DYNAMIC:1__ which will break UMC-SSO via IP-adress ofc.)
Comment 4 Erik Damrose univentionstaff 2015-09-28 15:01:15 CEST
OK: Default entity ID based on FQDN, registered in /etc/simplesamlphp/metadata/saml20-idp-hosted.php
OK: Changelog
Comment 5 Stefan Gohmann univentionstaff 2015-11-17 12:12:46 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".