Bug 31943 - [SSO] UMC Single Sign-On via SAML
[SSO] UMC Single Sign-On via SAML
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.1
Other Linux
: P5 enhancement (vote)
: UCS 4.1
Assigned To: Florian Best
Erik Damrose
: interim-2
: 31861 38610 (view as bug list)
Depends on: 31861
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-10 13:32 CEST by Jacek Groth
Modified: 2015-11-17 12:11 CET (History)
7 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Release Goal
Max CVSS v3 score:


Attachments
pysaml2_SP (30.00 KB, application/x-tar)
2013-07-10 13:32 CEST, Jacek Groth
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jacek Groth univentionstaff 2013-07-10 13:32:03 CEST
Created attachment 5315 [details]
pysaml2_SP

This Service Provider example based on pysaml2 needs to be integrated in UMC for
SSO functionality with univention-identity-provider. This BUG depends on: 31861
Comment 1 Stefan Gohmann univentionstaff 2014-02-18 21:29:22 CET
This issue has been filed against the UCS version "unstable" which does not really exist. Please change the version value.
Comment 3 Florian Best univentionstaff 2015-07-24 12:04:58 CEST
*** Bug 31861 has been marked as a duplicate of this bug. ***
Comment 4 Florian Best univentionstaff 2015-07-31 16:46:32 CEST
Current interim state:

* pysaml2 has been integrated into UMC-webserver.
* some fixes for simplesamlphp directory-listener handler.
* lasso3 has been imported from jessie and patched to expose the symbol lasso_provider_verify_saml_signature().
* a debian package for crudesaml has been created and commited into 4.1/component/saml. TODO: ITP, I have contact to a debian maintainer which would help
* The UMC-server PAM configuration has been converted into a multifile.
* The pam_saml module has been added to the PAM config of UMC.

To test the whole thing please upgrade all packages to UCS 4.1.
Then execute:
http://billy.knut.univention.de/~fbest/SAML/install/install_umc_saml

* open a web browser at https://fqdn/umcp/saml/
This should redirect to the IDP, enter password there, you get redirected to UMC.
You might see the login dialog (JS not yet implemented), just press F5 and you are logged in. You can use every module which don't depend on a password e.g. the process overview.
The IDP probably (?) currently depends on that you are able to resolve the FQDN. Please add it temporarily to /etc/hosts. I might already fixed this, dunno.
Comment 5 Florian Best univentionstaff 2015-08-12 09:43:43 CEST
*** Bug 38610 has been marked as a duplicate of this bug. ***
Comment 6 Stefan Gohmann univentionstaff 2015-08-22 13:29:51 CEST
Please have a look at the Jenkins tests, for example here:
http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/2/artifact/autotest-090-master-s3.log

Configure /usr/lib/univention-install/34univention-management-console-web-server.inst
2015-08-21 17:56:58.346317016-04:00 (in joinscript_init)
Setting ucs/web/overview/entries/admin/umc/icon
Setting ucs/web/overview/entries/admin/umc/link
Create ucs/web/overview/entries/admin/umc/link/de
Setting ucs/web/overview/entries/admin/umc/priority
File: /var/www/ucs-overview/entries.json
Setting ucs/web/overview/entries/admin/umc/label
Setting ucs/web/overview/entries/admin/umc/label/de
Setting ucs/web/overview/entries/admin/umc/description
Setting ucs/web/overview/entries/admin/umc/description/de
File: /var/www/ucs-overview/entries.json
Error opening Certificate /etc/simplesamlphp/master090.autotest090.local-idp-certificate.crt
140238318905000:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/simplesamlphp/master090.autotest090.local-idp-certificate.crt','r')
140238318905000:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
Comment 7 Florian Best univentionstaff 2015-08-24 14:40:23 CEST
(In reply to Stefan Gohmann from comment #6)
> Please have a look at the Jenkins tests, for example here:
> http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-0/job/
> Autotest%20MultiEnv/SambaVersion=s3,Systemrolle=master/2/artifact/autotest-
> 090-master-s3.log
→ fixed, Bug #39255
Comment 8 Florian Best univentionstaff 2015-09-15 17:35:13 CEST
Everything regarding crudesaml → Bug #39315
Comment 9 Stefan Gohmann univentionstaff 2015-10-16 11:20:47 CEST
I've added a changelog entry: r64539.
Comment 10 Stefan Gohmann univentionstaff 2015-10-16 19:51:43 CEST
(In reply to Stefan Gohmann from comment #9)
> I've added a changelog entry: r64539.

And I've adjusted the description on the login page (r64553 + r64554).
Comment 11 Florian Best univentionstaff 2015-10-19 20:14:46 CEST
This works so far. Everything else is done in different bugs.
Comment 12 Erik Damrose univentionstaff 2015-10-30 08:41:21 CET
Verified, initial work is done, bugs for remaining issues exist
Comment 13 Stefan Gohmann univentionstaff 2015-11-17 12:11:49 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".