Bug 48927 – SAML: Add ldap attribute mapping to arbitrary values

Bug 48927 - SAML: Add ldap attribute mapping to arbitrary values


Summary:	SAML: Add ldap attribute mapping to arbitrary values

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-4-errata
Assigned To:	Julia Bremer
QA Contact:	Erik Damrose

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-03-08 15:15 CET by Erik Damrose
Modified:	2020-04-15 14:32 CEST (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020011021000698
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2019-03-08 15:15:22 CET

Some service providers require additional attributes to be sent with the SAML assertion. These attribute names are sometimes not configurable on the SP side (e.g. large SaaS cloud services).

Our SAML integration currently can add additional LDAP user attributes, but there is no way to modify the attribute name when adding these to the assertion.

Simplesamlphp supports this, and the workaround currently is to not configure the SP in the UMC, but write a separate config for the SP. E.g. that is used in the office365 connector.

We could extend the integration to make renaming LDAP Attributes possible.

Comment 1 Florian Best

2019-03-08 15:29:32 CET

Can you give an example on how this is configured in simplesamlphp?
Currently it's only just an array of attribute names in the configuration?

Comment 2 Erik Damrose

2019-03-08 15:44:25 CET

No example available right now, but it is basically renaming keys in a dict, as every key/value pair will be added to the assertion

Comment 3 Florian Best

2019-03-08 15:59:35 CET

(In reply to Erik Damrose from comment #2)
> No example available right now, but it is basically renaming keys in a dict,
> as every key/value pair will be added to the assertion
Okay, sounds simple.

But how could we represent this in the current LDAP representation?
Simple would be something like simplesamlLDAPattributes=uid:username (attribute and pseudoname separated by ":") (good idea?).
But it would require all DC Backups to understand this (i.e. same UCS version than the master).

Comment 6 Christina Scheinig

2020-01-10 14:34:31 CET

A customer needs the mapping for Zammad

Comment 9 Julia Bremer

2020-04-02 19:55:08 CEST

Successful build
Package: univention-saml
Version: 6.0.2-27A~4.4.0.202004021947
Branch: ucs_4.4-0
Scope: errata4.4-4


4c62a07acc Bug #48927: update yaml
989f081d8a Bug #48927: Add php escaping
3c4ed02227 Bug #48927: yaml
88f06b103c Bug #48927: Merge branch 'jbremer/bug48927-saml-attribute-mapping' into 4.4-4
73cab5c1fa Bug #48927: changelog
9a99b8bc81 Bug #48927: Documentation
ab89b07f61 Bug #48927: Add translation
eb0ade35b6 Bug #48927: modify listener to new attributemapping.
1d1760447c Bug #48927: adjust udm module for attributeMapping syntax

I adjusted the UDM syntax of "LDAPattributes" to have a "key, value" syntax, where key and value are seperated by "=".
The key is the "LDAP attribute name" and the value is the "Service attribute name".
Since simplesamlphp has the possibility to map one key to multiple values in an array, these can be added seperated by "," as the value. 
The value is optional, if it is not set, the attribute is sent, but the names are not mapped.

Comment 10 Julia Bremer

2020-04-03 10:24:44 CEST

The new Syntax of LDAPattributes breaks 92univention-management-console-web-server.inst which led all Jenkins tests to fail.

Comment 11 Julia Bremer

2020-04-03 14:36:40 CEST

ecd74c5c6d Bug #48927: update yaml
577b1ae10c Bug #48927: Adjust syntax, so that it allows for only one element


Package: univention-saml
Version: 6.0.2-28A~4.4.0.202004031327
Branch: ucs_4.4-0
Scope: errata4.4-4


The new Syntax of LDAPattributes inherits from class complex and is multivalue
and is a key, value syntax with an optional value.
When modifying an object by appending an LDAPattribute with only a key, the syntax allowed this without problem, which is why I hadn't found this problem before.
But when an object was created or had no LDAPattributes before, the operation 
object[key] = [value] failed, because the syntax did not allow this.

I added the option min_elements=1 to the syntax, which resolves this problem.

Comment 12 Julia Bremer

2020-04-03 17:53:54 CEST

Successful build
Package: univention-saml
Version: 6.0.2-29A~4.4.0.202004031742
Branch: ucs_4.4-0
Scope: errata4.4-4


8fb6caa5e1 Bug #48927: update yamBug #48927: update yamll
4152880dba Bug #48927: If key is configured more than once, append dont overwirte


The QAs review was, that if one key was specified multiple times, it was not converted to an array of mapping attributes in the php file.
Instead of uid => array(foo1, foo2)
the config was 
uid=foo1,
uid=foo2

saml used only the last specified mapping in this case.
I adapted the listener to append additional values if the key exists more than once in the list.

Comment 13 Max Pohle

2020-04-03 18:18:16 CEST

I can confirm, that the change works as expected and even with strange values. 

The behaviour we found was:

1) only a value to assign to without a name - does not make sense and gets discarded

2) a wrong LDAP attribute name with a comma in it gets discarded

3) two times the same name and mapped to different attributes means the same as a name that is mapped to many attributes divided by comma.

4) a simple mapping from `name=uid` to a arbitrary service attribute name work

All of that was expected behaviour. Test passed.

Comment 14 Erik Damrose

2020-04-07 09:58:46 CEST

Reopen: The listener fails to write the config when no attributes are defined.

In line 208 simplesamlLDAPattributes is accessed, but if no attributes are defined for the service provider this fails.

simplesamlLDAPattributes only gets initialized if new['simplesamlAttributes'] exists.

It should be sufficient to always initialize simplesamlLDAPattributes as an empty list.

To reproduce: Activate default google service provider in UMC.
listener.log:
06.04.20 22:12:21.231  LISTENER    ( PROCESS ) : updating 'SAMLServiceProviderIdentifier=google.com,cn=saml-serviceprovider,cn=univention,dc=mydomain,dc=intranet' command m
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/univention-saml-simplesamlphp-configuration.py", line 125, in handler
    write_configuration_file(dn, new, filename)
  File "/usr/lib/univention-directory-listener/system/univention-saml-simplesamlphp-configuration.py", line 208, in write_configuration_file
    if simplesamlLDAPattributes:
UnboundLocalError: local variable 'simplesamlLDAPattributes' referenced before assignment

Comment 15 Julia Bremer

2020-04-07 11:33:12 CEST

Package: univention-saml
Version: 6.0.2-31A~4.4.0.202004071130
Branch: ucs_4.4-0
Scope: errata4.4-4


57a5d30640 Bug #48927: yaml

46589a5e8f Bug #48927: initialize simplesamlLDAPattributes, strip trailing whitespace

I changed another thing as well..
If a multivalue is specified, seperated by commas, extra trailing whitespace was not stripped. E.g a value like "Mail,  E-mail" let saml to send "  E-mail" to the SP.

Comment 16 Erik Damrose

2020-04-15 10:28:32 CEST

OK: univention-saml, listener, umc/udm integration
OK: yaml
OK: docu - i updated some other sentences in the same paragraph
Verified

Comment 17 Erik Damrose

2020-04-15 14:32:12 CEST

<http://errata.software-univention.de/ucs/4.4/527.html>