Univention Bugzilla – Bug 48927
SAML: Add ldap attribute mapping to arbitrary values
Last modified: 2020-04-15 14:32:12 CEST
Some service providers require additional attributes to be sent with the SAML assertion. These attribute names are sometimes not configurable on the SP side (e.g. large SaaS cloud services). Our SAML integration currently can add additional LDAP user attributes, but there is no way to modify the attribute name when adding these to the assertion. Simplesamlphp supports this, and the workaround currently is to not configure the SP in the UMC, but write a separate config for the SP. E.g. that is used in the office365 connector. We could extend the integration to make renaming LDAP Attributes possible.
Can you give an example on how this is configured in simplesamlphp? Currently it's only just an array of attribute names in the configuration?
No example available right now, but it is basically renaming keys in a dict, as every key/value pair will be added to the assertion
(In reply to Erik Damrose from comment #2) > No example available right now, but it is basically renaming keys in a dict, > as every key/value pair will be added to the assertion Okay, sounds simple. But how could we represent this in the current LDAP representation? Simple would be something like simplesamlLDAPattributes=uid:username (attribute and pseudoname separated by ":") (good idea?). But it would require all DC Backups to understand this (i.e. same UCS version than the master).
A customer needs the mapping for Zammad
Successful build Package: univention-saml Version: 6.0.2-27A~4.4.0.202004021947 Branch: ucs_4.4-0 Scope: errata4.4-4 4c62a07acc Bug #48927: update yaml 989f081d8a Bug #48927: Add php escaping 3c4ed02227 Bug #48927: yaml 88f06b103c Bug #48927: Merge branch 'jbremer/bug48927-saml-attribute-mapping' into 4.4-4 73cab5c1fa Bug #48927: changelog 9a99b8bc81 Bug #48927: Documentation ab89b07f61 Bug #48927: Add translation eb0ade35b6 Bug #48927: modify listener to new attributemapping. 1d1760447c Bug #48927: adjust udm module for attributeMapping syntax I adjusted the UDM syntax of "LDAPattributes" to have a "key, value" syntax, where key and value are seperated by "=". The key is the "LDAP attribute name" and the value is the "Service attribute name". Since simplesamlphp has the possibility to map one key to multiple values in an array, these can be added seperated by "," as the value. The value is optional, if it is not set, the attribute is sent, but the names are not mapped.
The new Syntax of LDAPattributes breaks 92univention-management-console-web-server.inst which led all Jenkins tests to fail.
ecd74c5c6d Bug #48927: update yaml 577b1ae10c Bug #48927: Adjust syntax, so that it allows for only one element Package: univention-saml Version: 6.0.2-28A~4.4.0.202004031327 Branch: ucs_4.4-0 Scope: errata4.4-4 The new Syntax of LDAPattributes inherits from class complex and is multivalue and is a key, value syntax with an optional value. When modifying an object by appending an LDAPattribute with only a key, the syntax allowed this without problem, which is why I hadn't found this problem before. But when an object was created or had no LDAPattributes before, the operation object[key] = [value] failed, because the syntax did not allow this. I added the option min_elements=1 to the syntax, which resolves this problem.
Successful build Package: univention-saml Version: 6.0.2-29A~4.4.0.202004031742 Branch: ucs_4.4-0 Scope: errata4.4-4 8fb6caa5e1 Bug #48927: update yamBug #48927: update yamll 4152880dba Bug #48927: If key is configured more than once, append dont overwirte The QAs review was, that if one key was specified multiple times, it was not converted to an array of mapping attributes in the php file. Instead of uid => array(foo1, foo2) the config was uid=foo1, uid=foo2 saml used only the last specified mapping in this case. I adapted the listener to append additional values if the key exists more than once in the list.
I can confirm, that the change works as expected and even with strange values. The behaviour we found was: 1) only a value to assign to without a name - does not make sense and gets discarded 2) a wrong LDAP attribute name with a comma in it gets discarded 3) two times the same name and mapped to different attributes means the same as a name that is mapped to many attributes divided by comma. 4) a simple mapping from `name=uid` to a arbitrary service attribute name work All of that was expected behaviour. Test passed.
Reopen: The listener fails to write the config when no attributes are defined. In line 208 simplesamlLDAPattributes is accessed, but if no attributes are defined for the service provider this fails. simplesamlLDAPattributes only gets initialized if new['simplesamlAttributes'] exists. It should be sufficient to always initialize simplesamlLDAPattributes as an empty list. To reproduce: Activate default google service provider in UMC. listener.log: 06.04.20 22:12:21.231 LISTENER ( PROCESS ) : updating 'SAMLServiceProviderIdentifier=google.com,cn=saml-serviceprovider,cn=univention,dc=mydomain,dc=intranet' command m Traceback (most recent call last): File "/usr/lib/univention-directory-listener/system/univention-saml-simplesamlphp-configuration.py", line 125, in handler write_configuration_file(dn, new, filename) File "/usr/lib/univention-directory-listener/system/univention-saml-simplesamlphp-configuration.py", line 208, in write_configuration_file if simplesamlLDAPattributes: UnboundLocalError: local variable 'simplesamlLDAPattributes' referenced before assignment
Package: univention-saml Version: 6.0.2-31A~4.4.0.202004071130 Branch: ucs_4.4-0 Scope: errata4.4-4 57a5d30640 Bug #48927: yaml 46589a5e8f Bug #48927: initialize simplesamlLDAPattributes, strip trailing whitespace I changed another thing as well.. If a multivalue is specified, seperated by commas, extra trailing whitespace was not stripped. E.g a value like "Mail, E-mail" let saml to send " E-mail" to the SP.
OK: univention-saml, listener, umc/udm integration OK: yaml OK: docu - i updated some other sentences in the same paragraph Verified
<http://errata.software-univention.de/ucs/4.4/527.html>