First Last Prev Next    This bug is not in your last search results.
Bug 38935 - simplesamlphp: ACL evaluation broken
simplesamlphp: ACL evaluation broken
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Florian Best
Erik Damrose
: interim-1
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-16 13:43 CEST by Florian Best
Modified: 2015-11-17 12:11 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Usability
Max CVSS v3 score:
best: Patch_Available+

Attachments
patch (897 bytes, patch)
2015-07-20 13:19 CEST, Florian Best 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-07-16 13:43:09 CEST 
I created a service provider and granted access to some users.
Authentication works but I get an 'Access denied' error message after the login.

My current workaround is to disable the ACL's completely in the generated config:
#       'authproc' => array(
#               60 => array(
#               'class' => 'authorize:Authorize',
#               'regex' => FALSE,
#               'enabledServiceProviderIdentifier' =>  array('SAMLServiceProviderIdentifier=https://master10.dev.local/sp/,cn=saml-serviceprovider,cn=univention,dc=dev,dc=local'),
#       )),

The syslog doesn't really tell things with loglevel == DEBUG.

Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Session: doLogin("univention-ldap")
Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Session: Valid session found with 'univention-ldap'.
Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Session: Valid session found with 'univention-ldap'.
Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Filter config for https://master10.dev.local/simplesamlphp/saml2/idp/metadata.php->https://master10.dev.local/sp/: array (  0 =>   sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array(     'langattr' => '
preferredLanguage',     'priority' => 30,  )),  1 =>   sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array(     'attribute' => 'realm',     'typeTag' => 'saml20-idp-SSO',     'priority' => 45,  )),  2 =>   sspmod_core_Auth_Process_AttributeLimit::__set_stat
e(array(     'allowedAttributes' =>     array (    ),     'isDefault' => false,     'priority' => 50,  )),  3 =>   sspmod_authorize_Auth_Process_Authorize::__set_state(array(     'deny' => false,     'regex' => false,     'valid_attribute_values' =>     array (      'enabl
edServiceProviderIdentifier' =>       array (        0 => 'SAMLServiceProviderIdentifier=https://master10.dev.local/sp/,cn=saml-serviceprovider,cn=univention,dc=dev,dc=local',      ),    ),     'priority' => 60,  )),  4 =>   sspmod_core_Auth_Process_LanguageAdaptor::__set_
state(array(     'langattr' => 'preferredLanguage',     'priority' => 99,  )),)
Jul 16 13:26:27 master10 simplesamlphp[30986]: 5 STAT [1c65461b16] saml20-idp-SSO-first https://master10.dev.local/sp/ https://master10.dev.local/simplesamlphp/saml2/idp/metadata.php NA
Jul 16 13:26:27 master10 simplesamlphp[30986]: 5 STAT [1c65461b16] saml20-idp-SSO https://master10.dev.local/sp/ https://master10.dev.local/simplesamlphp/saml2/idp/metadata.php NA
Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Saved state: '_1186d61bf5613b08ef85f2ec74de656ea9ef2d046e:https://master10.dev.local/simplesamlphp/saml2/idp/SSOService.php?spentityid=https%3A%2F%2Fmaster10.dev.local%2Fsp%2F&cookieTime=1437045960&RelayState=wl
DrcIPxg4ZVKGdr'
Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Loading state: '_1186d61bf5613b08ef85f2ec74de656ea9ef2d046e:https://master10.dev.local/simplesamlphp/saml2/idp/SSOService.php?spentityid=https%3A%2F%2Fmaster10.dev.local%2Fsp%2F&cookieTime=1437045960&RelayState=
wlDrcIPxg4ZVKGdr'
Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Template: Reading [/usr/share/simplesamlphp/modules/univentiontheme/dictionaries/univention]
Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Template: Reading [/usr/share/simplesamlphp/modules/authorize/dictionaries/Authorize]
Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Template: Reading [/usr/share/simplesamlphp/dictionaries/status]
Comment 1 Florian Best univentionstaff 2015-07-20 13:05:55 CEST 
The problem here is that "enabledServiceProviderIdentifier" was not specified in the "List of ldap attributes to transmit".

The attribute should be added automatically by the listener module.
Comment 2 Florian Best univentionstaff 2015-07-20 13:19:10 CEST 
Created attachment 7034 [details]
patch
Comment 3 Florian Best univentionstaff 2015-07-23 12:26:29 CEST 
I moved the package univention-saml from components into services/.

Package: univention-saml
Version: 3.0.0-1.30.201507231223
Branch: ucs_4.1-0
Comment 4 Erik Damrose univentionstaff 2015-09-28 16:58:26 CEST 
OK: Added default enabledServiceProviderIdentifier
OK: Changelog
Comment 5 Stefan Gohmann univentionstaff 2015-11-17 12:11:56 CET 
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.