Bug 39399 - Fail safe SAML identity provider
Fail safe SAML identity provider
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Florian Best
Erik Damrose
: interim-2
Depends on:
Blocks: 39479
  Show dependency treegraph
 
Reported: 2015-09-24 13:57 CEST by Florian Best
Modified: 2015-11-17 12:11 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-09-24 13:57:29 CEST
We need to ensure that the SAML identity provider is fail safe.
Therefore we install univention-saml on every DC backup, too. Every DC adds itself to a DNS entry e.g. "ucs-sso.$domainname". (Browsers typically test every A record if one record is not pingable). → Bug #39386

We need to ensure then that the simplesamlphp sessions are replicated between all these hosts.
The implementation should be done by using a local memcached service which stores all simplesamlphp sessions.
As memcached is completely plaintext and has no encryption we need to wrap SSL around it.
Every memcached is only accessible via a local UNIX socket.
A stunnel-server creates a TCP port which is externally accessible and does only accept verified SSL connections.
For every IDP-DC a local UNIX socket is created, where a stunnel service runs behind it. The stunnel service redirects every input to the external stunnel service.
Comment 1 Erik Damrose univentionstaff 2015-09-28 13:45:07 CEST
r63993: In the joinscript 33univention-saml.inst, please use udm <module> <action> "$@" ...
Currently, nothing will happen: "Unknown or no action defined"
Comment 2 Florian Best univentionstaff 2015-09-29 14:09:53 CEST
So far this is implemented but:

A restart often fails, it seems the daemons don't cleanup their sockets:
Error binding service [simplesamlphp_memcache_server] to 0.0.0.0:11211

The socket directory should better be /var/run/univention-saml/ not /usr/share/.... But I had some permission problems with user www-data.
Comment 3 Florian Best univentionstaff 2015-09-29 15:07:47 CEST
http://blog.couchbase.com/memcached-security
Comment 4 Florian Best univentionstaff 2015-10-05 19:45:49 CEST
There is a redirection loop when memcached is down:
https://github.com/simplesamlphp/simplesamlphp/issues/264
Comment 5 Florian Best univentionstaff 2015-10-05 19:48:39 CEST
We need to exclude non-trusted hosts from making a SSL connection to the memcached daemon.
stunnel provides the option "checkHost" for this, but this is only available in stunnel 5.18 (stretch) and OpenSSL 1.0.2 (stretch).
Comment 6 Florian Best univentionstaff 2015-10-09 12:55:47 CEST
(In reply to Florian Best from comment #2)
> So far this is implemented but:
> 
> A restart often fails, it seems the daemons don't cleanup their sockets:
> Error binding service [simplesamlphp_memcache_server] to 0.0.0.0:11211
Meanwhile this doesn't occur anymore. The univention-saml initscript does some more cleanup.

> The socket directory should better be /var/run/univention-saml/ not
> /usr/share/.... But I had some permission problems with user www-data.
→ r64370 | Bug #39399: move saml sockets into /var/run/univention-saml/

(In reply to Florian Best from comment #5)
> We need to exclude non-trusted hosts from making a SSL connection to the
> memcached daemon.
> stunnel provides the option "checkHost" for this, but this is only available
> in stunnel 5.18 (stretch) and OpenSSL 1.0.2 (stretch).Bug #39479
Comment 7 Florian Best univentionstaff 2015-10-27 15:21:44 CET
(In reply to Florian Best from comment #4)
> There is a redirection loop when memcached is down:
> https://github.com/simplesamlphp/simplesamlphp/issues/264Bug #39642
Comment 8 Erik Damrose univentionstaff 2015-11-03 13:42:42 CET
OK: Master and backup register for SSO FQDN (default: ucs-sso.$domainname)
OK: Memcached via stunnel on all servers
OK: Session replication via memcache
OK: Failover basically works, but is currently slow. I will open a new bug to prioritize these issues -> Bug #39727
I added a changelog entry in r65125
-> Verified
Comment 9 Stefan Gohmann univentionstaff 2015-11-17 12:11:36 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".