Univention Bugzilla – Bug 38935
simplesamlphp: ACL evaluation broken
Last modified: 2015-11-17 12:11:56 CET
I created a service provider and granted access to some users. Authentication works but I get an 'Access denied' error message after the login. My current workaround is to disable the ACL's completely in the generated config: # 'authproc' => array( # 60 => array( # 'class' => 'authorize:Authorize', # 'regex' => FALSE, # 'enabledServiceProviderIdentifier' => array('SAMLServiceProviderIdentifier=https://master10.dev.local/sp/,cn=saml-serviceprovider,cn=univention,dc=dev,dc=local'), # )), The syslog doesn't really tell things with loglevel == DEBUG. Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Session: doLogin("univention-ldap") Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Session: Valid session found with 'univention-ldap'. Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Session: Valid session found with 'univention-ldap'. Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Filter config for https://master10.dev.local/simplesamlphp/saml2/idp/metadata.php->https://master10.dev.local/sp/: array ( 0 => sspmod_core_Auth_Process_LanguageAdaptor::__set_state(array( 'langattr' => ' preferredLanguage', 'priority' => 30, )), 1 => sspmod_core_Auth_Process_StatisticsWithAttribute::__set_state(array( 'attribute' => 'realm', 'typeTag' => 'saml20-idp-SSO', 'priority' => 45, )), 2 => sspmod_core_Auth_Process_AttributeLimit::__set_stat e(array( 'allowedAttributes' => array ( ), 'isDefault' => false, 'priority' => 50, )), 3 => sspmod_authorize_Auth_Process_Authorize::__set_state(array( 'deny' => false, 'regex' => false, 'valid_attribute_values' => array ( 'enabl edServiceProviderIdentifier' => array ( 0 => 'SAMLServiceProviderIdentifier=https://master10.dev.local/sp/,cn=saml-serviceprovider,cn=univention,dc=dev,dc=local', ), ), 'priority' => 60, )), 4 => sspmod_core_Auth_Process_LanguageAdaptor::__set_ state(array( 'langattr' => 'preferredLanguage', 'priority' => 99, )),) Jul 16 13:26:27 master10 simplesamlphp[30986]: 5 STAT [1c65461b16] saml20-idp-SSO-first https://master10.dev.local/sp/ https://master10.dev.local/simplesamlphp/saml2/idp/metadata.php NA Jul 16 13:26:27 master10 simplesamlphp[30986]: 5 STAT [1c65461b16] saml20-idp-SSO https://master10.dev.local/sp/ https://master10.dev.local/simplesamlphp/saml2/idp/metadata.php NA Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Saved state: '_1186d61bf5613b08ef85f2ec74de656ea9ef2d046e:https://master10.dev.local/simplesamlphp/saml2/idp/SSOService.php?spentityid=https%3A%2F%2Fmaster10.dev.local%2Fsp%2F&cookieTime=1437045960&RelayState=wl DrcIPxg4ZVKGdr' Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Loading state: '_1186d61bf5613b08ef85f2ec74de656ea9ef2d046e:https://master10.dev.local/simplesamlphp/saml2/idp/SSOService.php?spentityid=https%3A%2F%2Fmaster10.dev.local%2Fsp%2F&cookieTime=1437045960&RelayState= wlDrcIPxg4ZVKGdr' Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Template: Reading [/usr/share/simplesamlphp/modules/univentiontheme/dictionaries/univention] Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Template: Reading [/usr/share/simplesamlphp/modules/authorize/dictionaries/Authorize] Jul 16 13:26:27 master10 simplesamlphp[30986]: 7 [1c65461b16] Template: Reading [/usr/share/simplesamlphp/dictionaries/status]
The problem here is that "enabledServiceProviderIdentifier" was not specified in the "List of ldap attributes to transmit". The attribute should be added automatically by the listener module.
Created attachment 7034 [details] patch
I moved the package univention-saml from components into services/. Package: univention-saml Version: 3.0.0-1.30.201507231223 Branch: ucs_4.1-0
OK: Added default enabledServiceProviderIdentifier OK: Changelog
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".