Bug 39227 – Replace UMC-SSO by SAML-SSO

Bug 39227 - Replace UMC-SSO by SAML-SSO


Summary:	Replace UMC-SSO by SAML-SSO

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1
Assigned To:	Florian Best
QA Contact:	Erik Damrose

URL:
Keywords:	interim-2

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-08-20 10:18 CEST by Florian Best
Modified:	2015-11-17 12:12 CET (History)
CC List:	1 user (show)

See Also:	39178 39592
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2015-08-20 10:18:15 CEST

The dropdown list in UMC for SSO to other hosts should use the new SAML SSO.

Comment 1 Florian Best

2015-09-08 13:00:54 CEST

The host dropdown now uses SAML SSO (no backwards compatibility, UCS 4.0 systems run into HTTP 404).
All UMC-SSO functionality has been removed (svn r63508) (also no backwards compatibility).

univention-management-console-module-lib (5.0.0-1):
r63508 | Bug #39227: remove UMC SSO feature
r63507 | Bug #39227: update copyright

univention-management-console-frontend (5.0.21-1):
r63508 | Bug #39227: remove UMC SSO feature
r63506 | Bug #39227: let the host dropdown use SAML SSO

Comment 2 Florian Best

2015-09-18 15:55:15 CEST

Removing the builtin SSO broke umc.tools.renewSession().

Comment 3 Florian Best

2015-09-22 11:41:58 CEST

(In reply to Florian Best from comment #2)
> Removing the builtin SSO broke umc.tools.renewSession().
Implemented UMCP GET newsession. It simply puts the current module processes into the background. They shutdown themself after the session timeout. So the behavior is like the previous SSO with the difference that it happens in the UMC-server and not in the UMC-Webserver.

Comment 4 Erik Damrose

2015-09-29 16:22:36 CEST

Reopen: When clicking on a link to other hosts the redirect is to <hostname>/univention-management-console/saml/

That link is not available on my Backup.

What about users that did not login via SSO? If that could be detected easily, the redirect should be to the non-sso UMC login page, as it was before.

Comment 5 Florian Best

2015-10-02 14:34:12 CEST

(In reply to Erik Damrose from comment #4)
> Reopen: When clicking on a link to other hosts the redirect is to
> <hostname>/univention-management-console/saml/
> That link is not available on my Backup.
→ This is due to another bug and should be fixed. You need to make sure that all joinscript have been successfully executed.

Well, the URI will be unresolveable if you access a 4.0 system. How to deal with this?

> What about users that did not login via SSO? If that could be detected
> easily, the redirect should be to the non-sso UMC login page, as it was
> before.
It is *currently* not possible to detect this easily (as the authentication is done in the backend, not in the frontend). Isn't it wanted that they login at the IDP then and get redirected back?
There is also the case that the client cannot resolve the IDP hostname.

Ideas? Decisions?

Comment 6 Stefan Gohmann

2015-10-15 19:50:24 CEST

(In reply to Florian Best from comment #5)
> > What about users that did not login via SSO? If that could be detected
> > easily, the redirect should be to the non-sso UMC login page, as it was
> > before.
> It is *currently* not possible to detect this easily (as the authentication
> is done in the backend, not in the frontend). Isn't it wanted that they
> login at the IDP then and get redirected back?
> There is also the case that the client cannot resolve the IDP hostname.
> 
> Ideas? Decisions?

I think it is OK if we mention it in the release notes.

Comment 7 Florian Best

2015-10-17 23:44:40 CEST

Two new possibilities which came up in my mind:
don't redirect to /umc/saml but only to /umc/ which makes the auto-SSO-login (this would be a little bit slower)

or/and filter out the hosts which doesn't have univentionService=U…M…C…

→ I think I implement both?

Comment 8 Florian Best

2015-10-19 17:24:04 CEST

(In reply to Florian Best from comment #7)
> Two new possibilities which came up in my mind:
> don't redirect to /umc/saml but only to /umc/ which makes the auto-SSO-login
> (this would be a little bit slower)
→ done

> or/and filter out the hosts which doesn't have univentionService=U…M…C…
→ Bug #39592

Comment 9 Erik Damrose

2015-11-02 15:20:21 CET

OK: SSO Redirect from master (4.1) to backup (4.0): UMC Login site

??: Redirect from backup (4.0) to master (4.1): Error 403, (https://master.ucs.local/umcp/sso?loginToken=<xx>).

Reopen:
If it stays this way, we should definitely add an addtional release note (not changelog!) entry explaining the behavior. 

Maybe we can add a redirect from /umcp/sso to /umc without breaking anything? The apache 403 error page is unpleasant.

Comment 10 Florian Best

2015-11-03 11:18:57 CET

(In reply to Erik Damrose from comment #9)
> Maybe we can add a redirect from /umcp/sso to /umc without breaking
> anything? The apache 403 error page is unpleasant.
I added a redirection to /univention-management-console/.

Comment 11 Erik Damrose

2015-11-04 12:03:08 CET

OK: redirects from UCS Systems < 4.1
OK: changelog

Comment 12 Stefan Gohmann

2015-11-17 12:12:32 CET

UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".