Univention Bugzilla – Bug 39227
Replace UMC-SSO by SAML-SSO
Last modified: 2015-11-17 12:12:32 CET
The dropdown list in UMC for SSO to other hosts should use the new SAML SSO.
The host dropdown now uses SAML SSO (no backwards compatibility, UCS 4.0 systems run into HTTP 404). All UMC-SSO functionality has been removed (svn r63508) (also no backwards compatibility). univention-management-console-module-lib (5.0.0-1): r63508 | Bug #39227: remove UMC SSO feature r63507 | Bug #39227: update copyright univention-management-console-frontend (5.0.21-1): r63508 | Bug #39227: remove UMC SSO feature r63506 | Bug #39227: let the host dropdown use SAML SSO
Removing the builtin SSO broke umc.tools.renewSession().
(In reply to Florian Best from comment #2) > Removing the builtin SSO broke umc.tools.renewSession(). Implemented UMCP GET newsession. It simply puts the current module processes into the background. They shutdown themself after the session timeout. So the behavior is like the previous SSO with the difference that it happens in the UMC-server and not in the UMC-Webserver.
Reopen: When clicking on a link to other hosts the redirect is to <hostname>/univention-management-console/saml/ That link is not available on my Backup. What about users that did not login via SSO? If that could be detected easily, the redirect should be to the non-sso UMC login page, as it was before.
(In reply to Erik Damrose from comment #4) > Reopen: When clicking on a link to other hosts the redirect is to > <hostname>/univention-management-console/saml/ > That link is not available on my Backup. → This is due to another bug and should be fixed. You need to make sure that all joinscript have been successfully executed. Well, the URI will be unresolveable if you access a 4.0 system. How to deal with this? > What about users that did not login via SSO? If that could be detected > easily, the redirect should be to the non-sso UMC login page, as it was > before. It is *currently* not possible to detect this easily (as the authentication is done in the backend, not in the frontend). Isn't it wanted that they login at the IDP then and get redirected back? There is also the case that the client cannot resolve the IDP hostname. Ideas? Decisions?
(In reply to Florian Best from comment #5) > > What about users that did not login via SSO? If that could be detected > > easily, the redirect should be to the non-sso UMC login page, as it was > > before. > It is *currently* not possible to detect this easily (as the authentication > is done in the backend, not in the frontend). Isn't it wanted that they > login at the IDP then and get redirected back? > There is also the case that the client cannot resolve the IDP hostname. > > Ideas? Decisions? I think it is OK if we mention it in the release notes.
Two new possibilities which came up in my mind: don't redirect to /umc/saml but only to /umc/ which makes the auto-SSO-login (this would be a little bit slower) or/and filter out the hosts which doesn't have univentionService=U…M…C… → I think I implement both?
(In reply to Florian Best from comment #7) > Two new possibilities which came up in my mind: > don't redirect to /umc/saml but only to /umc/ which makes the auto-SSO-login > (this would be a little bit slower) → done > or/and filter out the hosts which doesn't have univentionService=U…M…C… → Bug #39592
OK: SSO Redirect from master (4.1) to backup (4.0): UMC Login site ??: Redirect from backup (4.0) to master (4.1): Error 403, (https://master.ucs.local/umcp/sso?loginToken=<xx>). Reopen: If it stays this way, we should definitely add an addtional release note (not changelog!) entry explaining the behavior. Maybe we can add a redirect from /umcp/sso to /umc without breaking anything? The apache 403 error page is unpleasant.
(In reply to Erik Damrose from comment #9) > Maybe we can add a redirect from /umcp/sso to /umc without breaking > anything? The apache 403 error page is unpleasant. I added a redirection to /univention-management-console/.
OK: redirects from UCS Systems < 4.1 OK: changelog
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".