Univention Bugzilla – Bug 55085
Saml serviceprovider groups should evaluate nested group memberships
Last modified: 2023-07-31 14:16:23 CEST
With UCS 4 it was possible recursively allow access to a service provider. e.g.: - UserA is member of GroupB - GroupB is member of GroupA - GroupA is allowed to use ServiceproviderA As UserA is recursively member of GroupA, he was allowed to accerss ServiceProviderA With UCS 5, Groups in Groups like this scenario doesn't work anymore. Only direct memberships are working.
The group memberships have never been evaluated recursively for this feature. Not in UCS5 nor in UCS4. We are simply adding the groups that have the attribute enabledServiceProviderIdentifierGroup for each serviceprovider to the serviceprovider_enabled_groups.json file. At login, it is checked if the memberOf attribute includes one of those groups. And the memberOf attribute does not display recursive group memberships. If the customer is certain that it has worked before - maybe a workaround or a custom implementation has been in place before the update? As recursive membership evaluation has never been part of this feature, I set the bug to "feature request".
(In reply to Julia Bremer from comment #1) > The group memberships have never been evaluated recursively for this > feature. Not in UCS5 nor in UCS4. Yes. However, with UCS 5 we want to switch to the new SSO provider Keycloak. > At login, it is checked if the memberOf attribute includes one of those > groups. > And the memberOf attribute does not display recursive group memberships. > If the customer is certain that it has worked before - maybe a workaround or > a custom implementation has been in place before the update? We have had Keycloak in use until now. But this had its own LDAP NOT managed by UCS. The LDAP was flattened with a script, so all groups were dissolved and brought to one level. Possibly Univention can also take such an approach. I can send the script here as an attachment if you like. > As recursive membership evaluation has never been part of this feature, I > set the bug to "feature request". Ack. Greez AlteSocke
Created attachment 11053 [details] flatten.pl