Univention Bugzilla – Bug 31943
[SSO] UMC Single Sign-On via SAML
Last modified: 2015-11-17 12:11:49 CET
Created attachment 5315 [details] pysaml2_SP This Service Provider example based on pysaml2 needs to be integrated in UMC for SSO functionality with univention-identity-provider. This BUG depends on: 31861
This issue has been filed against the UCS version "unstable" which does not really exist. Please change the version value.
The SAML specifications can be found here: http://saml.xml.org/saml-specifications https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf https://www.oasis-open.org/committees/download.php/35387/sstc-saml-bindings-errata-2.0-wd-05-diff.pdf https://www.oasis-open.org/committees/download.php/35389/sstc-saml-profiles-errata-2.0-wd-06-diff.pdf https://www.oasis-open.org/committees/download.php/35391/sstc-saml-metadata-errata-2.0-wd-04-diff.pdf
*** Bug 31861 has been marked as a duplicate of this bug. ***
Current interim state: * pysaml2 has been integrated into UMC-webserver. * some fixes for simplesamlphp directory-listener handler. * lasso3 has been imported from jessie and patched to expose the symbol lasso_provider_verify_saml_signature(). * a debian package for crudesaml has been created and commited into 4.1/component/saml. TODO: ITP, I have contact to a debian maintainer which would help * The UMC-server PAM configuration has been converted into a multifile. * The pam_saml module has been added to the PAM config of UMC. To test the whole thing please upgrade all packages to UCS 4.1. Then execute: http://billy.knut.univention.de/~fbest/SAML/install/install_umc_saml * open a web browser at https://fqdn/umcp/saml/ This should redirect to the IDP, enter password there, you get redirected to UMC. You might see the login dialog (JS not yet implemented), just press F5 and you are logged in. You can use every module which don't depend on a password e.g. the process overview. The IDP probably (?) currently depends on that you are able to resolve the FQDN. Please add it temporarily to /etc/hosts. I might already fixed this, dunno.
*** Bug 38610 has been marked as a duplicate of this bug. ***
Please have a look at the Jenkins tests, for example here: http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/2/artifact/autotest-090-master-s3.log Configure /usr/lib/univention-install/34univention-management-console-web-server.inst 2015-08-21 17:56:58.346317016-04:00 (in joinscript_init) Setting ucs/web/overview/entries/admin/umc/icon Setting ucs/web/overview/entries/admin/umc/link Create ucs/web/overview/entries/admin/umc/link/de Setting ucs/web/overview/entries/admin/umc/priority File: /var/www/ucs-overview/entries.json Setting ucs/web/overview/entries/admin/umc/label Setting ucs/web/overview/entries/admin/umc/label/de Setting ucs/web/overview/entries/admin/umc/description Setting ucs/web/overview/entries/admin/umc/description/de File: /var/www/ucs-overview/entries.json Error opening Certificate /etc/simplesamlphp/master090.autotest090.local-idp-certificate.crt 140238318905000:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/simplesamlphp/master090.autotest090.local-idp-certificate.crt','r') 140238318905000:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate
(In reply to Stefan Gohmann from comment #6) > Please have a look at the Jenkins tests, for example here: > http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/ > Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/2/artifact/autotest- > 090-master-s3.log → fixed, Bug #39255
Everything regarding crudesaml → Bug #39315
I've added a changelog entry: r64539.
(In reply to Stefan Gohmann from comment #9) > I've added a changelog entry: r64539. And I've adjusted the description on the login page (r64553 + r64554).
This works so far. Everything else is done in different bugs.
Verified, initial work is done, bugs for remaining issues exist
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".