Bug 47567 - Add SAML service providers to groups
Add SAML service providers to groups
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-4-errata
Assigned To: Julia Bremer
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-10 12:22 CEST by Valentin Heidelberger
Modified: 2020-10-29 22:40 CET (History)
10 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
patch for listener, fixes removing SP from group (513 bytes, patch)
2020-05-18 10:36 CEST, Erik Damrose
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Heidelberger univentionstaff 2018-08-10 12:22:13 CEST
Currently SAML service providers can only be added to user objects. It would be nice to be able to add them to groups (meaning the included users) as well.
Comment 1 Valentin Heidelberger univentionstaff 2018-08-20 17:56:17 CEST
A customer decided to refrain from using SSO for a specific service, because activating the Service Provider for user objects was deemed too much effort.
Comment 2 Erik Damrose univentionstaff 2018-08-20 18:19:26 CEST
I want to understand the use case better. How are the users added / modified? Should there be one group for each service?

Initial setting of the attribute for many users could be done with multiedit.
Adding multiple users to an existing group should be roughly the same effort.

When adding users with a udm script, the enabled flags could be set when creating the user.
Comment 3 Valentin Heidelberger univentionstaff 2018-08-21 10:50:59 CEST
(In reply to Erik Damrose from comment #2)
> I want to understand the use case better. How are the users added /
> modified? Should there be one group for each service?
> 
> Initial setting of the attribute for many users could be done with multiedit.
> Adding multiple users to an existing group should be roughly the same effort.
> 
> When adding users with a udm script, the enabled flags could be set when
> creating the user.

The customer has a school scenario. They want to activate a certain Service Provider for just one school. Since they already have groups containing teachers and students for every school, they'd just like to add the service provider to these groups instead of doing a multi edit.
Another reason why they don't like the multi edit workaround is bug 47568. But I think even with that resolved they'd still wait for this feature until they use it. I told them about the udm script possibility aswell but they want to manage the SPs themselves later on and want to do it with groups.
Comment 4 Michel Smidt 2018-08-21 11:06:29 CEST
Seems like more or less the same use case as in the office365 connector to me. For the customer it is important that he/she can assign it to a group like "Domain Users schoolXY". The customer has a delegated automatical user life-cycle.
If the SAML-SP-Attribute will be assigned to the user during creation or will be read "on the fly" isn't important as far as I know.
Comment 5 Valentin Heidelberger univentionstaff 2018-11-12 10:51:37 CET
Requested again from a school customer
Comment 6 Michael Grandjean univentionstaff 2019-02-01 21:05:48 CET
https://help.univention.com/t/11071
Comment 7 Valentin Heidelberger univentionstaff 2019-08-08 12:54:09 CEST
Requested again below a blog article 
https://www.univention.de/blog-de/2019/02/how-to-sso-nextcloud/?replytocom=13916#comment-13916
Comment 8 Valentin Heidelberger univentionstaff 2019-08-08 12:55:57 CEST
Since 4.4 e205 one can filter users by their group memberships in the Users module. The memberOf overlay must be active for that. Then all users can be selected and a multi-edit can be performed. This workaround does not cover users being added or removed to that group of course.

http://errata.software-univention.de/ucs/4.4/205.html
Comment 9 Valentin Heidelberger univentionstaff 2019-08-22 16:53:18 CEST
Customer reiterated their desire for this feature.
They don't want to use import hooks.
Comment 10 Johannes Kenkel univentionstaff 2019-08-26 14:58:58 CEST
Client 47691 would also like to add SAML service providers to groups. They also don't want to use import hooks.
Comment 11 Andreas Peichert univentionstaff 2020-02-13 15:16:58 CET
requested again by a customer (54468)
Comment 12 Detlef Nünninghoff 2020-02-14 16:09:49 CET
We would also like to add SAML service providers to groups. We also don't want to use import hooks.
Comment 13 Valentin Heidelberger univentionstaff 2020-03-12 10:42:00 CET
Another customer asked for this
Comment 17 Michel Smidt 2020-03-24 09:24:06 CET
We will definitely need this very soon in the future. Workarounds are currently being built in all kinds of customer projects. Which is complex, and expensive.
Comment 18 Julia Bremer univentionstaff 2020-05-11 15:14:46 CEST
4285e5851a Bug #47567: yaml
5c263d2498 Bug #47567: Merge branch 'jbremer/bug47567-samlsp4groups' into 4.4-4
1174cac7a7 Bug #47567: Doku
28a16b5adc Bug #47567: Add saml serviceprovider to groups

Successful build
Package: univention-saml
Version: 6.0.2-41A~4.4.0.202005111505
Branch: ucs_4.4-0
Scope: errata4.4-4

One can now configure SAML service provider per group on the "General" Tab. 
A new objectClass for groups has been created "univentionSAMLEnabledGroup" 
and the new attribute "serviceprovidergroup". 

The univention-saml package has a new listener, which listens to changes of  univentionSAMLEnabledGroup, and writes new configured serviceproviders in json format to '/etc/simplesamlphp/serviceprovider_enabled_groups.json', which is then read by saml.
Comment 19 Julia Bremer univentionstaff 2020-05-12 14:47:09 CEST
26f8a1947b Bug #47567: update yaml
6f687f18d6 Bug #47567: Chown to samlcgi, dont assume uid, guid

I assumed the uid of samlcgi before,
The uid, guid of samlcgi is now determined in the listener.
Comment 20 Erik Damrose univentionstaff 2020-05-12 18:41:51 CEST
First blackbox test shows that service provider config files are not rewritten on package update. Thus, the json file with the group mapping is written, but never read from the service provider configfile, until the listener rewrites the sp configfile. In previous updates we resynced the listener module to force a rewrite of all sp configfiles, i think it is ok to do this with this update as well -> REOPEN

Once the saml config is correct, the requested feature runs as desired. I added a saml sp to the domain users group and the saml login worked, without having to configure each user individually
Comment 21 Julia Bremer univentionstaff 2020-05-12 20:41:40 CEST
Package: univention-saml
Version: 6.0.2-43A~4.4.0.202005122039
Branch: ucs_4.4-0
Scope: errata4.4-4

7d9a358889 Bug #47567: yaml
9b62c49933 Bug #47567: Resync listener
Comment 22 Erik Damrose univentionstaff 2020-05-14 14:23:01 CEST
OK: schema extension, extended attribute on groups
OK: docs, i fixed a small typo
OK: integration of group check in sp config
OK: Test with group with umlauts ("Domänenbenutzer")
OK: yaml

Reopen: there are some logic errors in the saml-group listener, i sent details in an email
Comment 23 Julia Bremer univentionstaff 2020-05-14 14:41:37 CEST
Thanks for the feedback :)

fee8c14587 Bug #47567: yaml
8a3f354955 Bug #47567: fix addition/removal of groups to json in group-listener

Package: univention-saml
Version: 6.0.2-44A~4.4.0.202005141435
Branch: ucs_4.4-0
Scope: errata4.4-4
Comment 24 Erik Damrose univentionstaff 2020-05-18 10:36:22 CEST
Created attachment 10367 [details]
patch for listener, fixes removing SP from group

Removing an SP from a group does not work, please check the attached patch for a possible solution.
Comment 25 Julia Bremer univentionstaff 2020-05-18 11:02:52 CEST
Successful build
Package: univention-saml
Version: 6.0.2-45A~4.4.0.202005181100
Branch: ucs_4.4-0
Scope: errata4.4-4 

55296ff071 Bug #47567: yaml update
10998e3e4a Bug #47567: Remove sps
Comment 26 Erik Damrose univentionstaff 2020-05-18 12:14:21 CEST
OK: Remove SPs from groups
OK: yaml
Verified
Comment 27 Arvid Requate univentionstaff 2020-05-20 12:29:58 CEST
<http://errata.software-univention.de/ucs/4.4/611.html>
Comment 28 Florian Best univentionstaff 2020-10-29 22:40:57 CET
FYI: the new attribute "enabledServiceProviderIdentifierGroup"s syntax is set to ASCII. Therefore SAML SP DN's containing non-ASCII cannot be selected.