Bug 55085 – Saml serviceprovider groups should evaluate nested group memberships

Bug 55085 - Saml serviceprovider groups should evaluate nested group memberships


Summary:	Saml serviceprovider groups should evaluate nested group memberships

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:	55787
	Show dependency tree / graph

Reported:	2022-08-10 15:17 CEST by Daniel Duchon
Modified:	2023-07-31 14:16 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.046
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022081021000351, 2023072821000102
Bug group (optional):
Max CVSS v3 score:

Attachments
flatten.pl (2.83 KB, text/plain) 2023-03-14 08:55 CET, AlteSocke	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Duchon

2022-08-10 15:17:45 CEST

With UCS 4 it was possible recursively allow access to a service provider.

e.g.:
- UserA is member of GroupB
- GroupB is member of GroupA
- GroupA is allowed to use ServiceproviderA

As UserA is recursively member of GroupA, he was allowed to accerss ServiceProviderA


With UCS 5, Groups in Groups like this scenario doesn't work anymore. Only direct memberships are working.

Comment 1 Julia Bremer

2022-08-10 18:54:47 CEST

The group memberships have never been evaluated recursively for this feature. Not in UCS5 nor in UCS4.

We are simply adding the groups that have the attribute enabledServiceProviderIdentifierGroup for each serviceprovider to the serviceprovider_enabled_groups.json file.

At login, it is checked if the memberOf attribute includes one of those groups. 
And the memberOf attribute does not display recursive group memberships.
If the customer is certain that it has worked before - maybe a workaround or a custom implementation has been in place before the update?

As recursive membership evaluation has never been part of this feature, I set the bug to "feature request".

Comment 2 AlteSocke 2023-03-14 08:51:10 CET

(In reply to Julia Bremer from comment #1)
> The group memberships have never been evaluated recursively for this
> feature. Not in UCS5 nor in UCS4.

Yes. However, with UCS 5 we want to switch to the new SSO provider Keycloak.

> At login, it is checked if the memberOf attribute includes one of those
> groups. 
> And the memberOf attribute does not display recursive group memberships.
> If the customer is certain that it has worked before - maybe a workaround or
> a custom implementation has been in place before the update?

We have had Keycloak in use until now. But this had its own LDAP NOT managed by UCS. The LDAP was flattened with a script, so all groups were dissolved and brought to one level. Possibly Univention can also take such an approach. I can send the script here as an attachment if you like.

> As recursive membership evaluation has never been part of this feature, I
> set the bug to "feature request".

Ack.

Greez
AlteSocke

Comment 3 AlteSocke 2023-03-14 08:55:12 CET

Created attachment 11053 [details]
flatten.pl