Bug 53207 – Allow disabling of the fallback to UCS login

Bug 53207 - Allow disabling of the fallback to UCS login


Summary:	Allow disabling of the fallback to UCS login

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.4
Hardware:	Other Windows NT

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-05-03 08:04 CEST by Thorsten
Modified:	2021-06-14 07:25 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	SAML
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thorsten

2021-05-03 08:04:56 CEST

In order to be IT Grundschutz compliant there has to be a single implementation of the web based login to UCS. 

Currently as a fallback there is the UCS login (/univention/login) used when the login /simplesamlphp/[..] cannot be reached by the client (browser). 

We need an option to disable to fallback.

Comment 1 Florian Best

2021-05-03 10:38:36 CEST

Please be more specific, what is actually required. Maybe post the BSI-Grundschutz phrase about it.

Should /univention/login/ only not be available for users? Shouldn't a link exists to it? Does the functionality behind it needs to be disabled?

/univention/login/ and /simplesamlphp/ are different services, (on different hosts).
At the end, when logging into UMC both mechanism use /univention/auth which uses one PAM stack.

Comment 2 Thorsten

2021-05-03 14:51:35 CEST

The following paragraphs vom from "BSI Grundschutz APP.3.1 Webanwendungen":

From APP.3.1.A1: "Es MUSS eine zentrale Authentisierungskomponente verwendet werden, die möglichst mit etablierten Standardkomponenten umgesetzt wurde."

From APP.3.1.M1: "Die Authentisierungslogik sollte nur an einer Stelle und nicht mehrfach im Programmcode realisiert werden."

The code related to /univention/login/ must not be triggered in any case, when the UCS login is disabled as requested in this ticket.

Comment 3 Florian Best

2021-05-05 23:19:32 CEST

(In reply to Thorsten from comment #2)
> The code related to /univention/login/ must not be triggered in any case,
> when the UCS login is disabled as requested in this ticket.
This means that all machine-to-machine communication is not possible anymore. e.g. the global App-Center, e.g. UCS@school functionality, e.g. changing IP addresses of the servers, etc. pp.

Comment 4 Thorsten

2021-05-06 06:40:48 CEST

(In reply to Florian Best from comment #3)
> This means that all machine-to-machine communication is not possible
> anymore. e.g. the global App-Center, e.g. UCS@school functionality, e.g.
> changing IP addresses of the servers, etc. pp.
The mentioned cases make use of the browser/webbased authentication? This is all about the user not being able to have both options from the browser (the login form, but also the component receiving and processing the data from the login form).

Comment 5 Florian Best

2021-05-06 09:55:45 CEST

(In reply to Thorsten from comment #4)
> (In reply to Florian Best from comment #3)
> > This means that all machine-to-machine communication is not possible
> > anymore. e.g. the global App-Center, e.g. UCS@school functionality, e.g.
> > changing IP addresses of the servers, etc. pp.
> The mentioned cases make use of the browser/webbased authentication?
yes.

Comment 6 Thorsten

2021-06-14 07:25:48 CEST

From my perspective we can close this issue, as we try to move the project to UCS5 and UCS5 does not longer support AFAIK automated fallback to the UMC login.