Bug 49985 - Configure SAML SSO as Multi-Server-Solution by default
Configure SAML SSO as Multi-Server-Solution by default
Status: NEW
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Mac OS X 10.1
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-09 11:17 CEST by Michel Smidt
Modified: 2019-08-09 11:51 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt 2019-08-09 11:17:39 CEST
As an administrator I want it to be possible by default to use an external DNS name for SSO for my multi server environment.

There is an article (https://help.univention.com/t/configure-saml-single-sign-on-as-single-server-solution/6681) for a single server environment but this is unfortunately not a standard.

I currently use the following steps in demo environments (without guarantee ;-)

# e.g. xy.univention.de
FQDN=xy.univention.de
ucr set ucs/server/sso/autoregistraton=no \
        saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
        saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.key" \
        saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-certificate.crt" \
        ucs/server/sso/fqdn=$FQDN \
        umc/saml/sp-server=$FQDN \
        ucs/server/sso/virtualhost=false \
        saml/apache2/ssl/certificate=/etc/univention/letsencrypt/signed_chain.crt \
        saml/apache2/ssl/key=/etc/univention/letsencrypt/domain.key


echo "ServerName $FQDN" > /etc/apache2/ucs-sites.conf.d/servername.conf

univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
service apache2 restart; service univention-management-console-web-server restart; service univention-management-console-server restart
Comment 1 Erik Damrose univentionstaff 2019-08-09 11:40:28 CEST
(In reply to Michel Smidt from comment #0)
> There is an article
> (https://help.univention.com/t/configure-saml-single-sign-on-as-single-
> server-solution/6681) for a single server environment but this is
> unfortunately not a standard.

How would a standard solution look like? Is there a standard scenario?

There are at least the following scenarios:
* Cloud based UCS, e.g. AWS, the UCS apache2 directly faces the internet
* There is a reverse proxy in front of the UCS apache2
Comment 2 Michel Smidt 2019-08-09 11:51:16 CEST
(In reply to Erik Damrose from comment #1)
> (In reply to Michel Smidt from comment #0)
> > There is an article
> > (https://help.univention.com/t/configure-saml-single-sign-on-as-single-
> > server-solution/6681) for a single server environment but this is
> > unfortunately not a standard.
> 
> How would a standard solution look like? Is there a standard scenario?
> 
> There are at least the following scenarios:
> * Cloud based UCS, e.g. AWS, the UCS apache2 directly faces the internet
> * There is a reverse proxy in front of the UCS apache2

In my experience, it's practically the standard scenario.
In comment 1 only ucs-sso is reconfigured to the "one" external DNS.

The two scenarios you mentioned are basically the same from my point of view. I wouldn't recommend the first scenario for productive use. I think in productive environments a reverse proxy should always be the default. 

At the most a scenario would be desirable in which the SAML-IdP does not run on the same server as the LDAP. But this doesn't really affect this bug or the configurations made here. From my point of view this is another feature request.