Bug 39627 – Regressions in Listener breaks existing SP configs, leaks attribute to SP

Bug 39627 - Regressions in Listener breaks existing SP configs, leaks attribute to SP


Summary:	Regressions in Listener breaks existing SP configs, leaks attribute to SP

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1
Assigned To:	Erik Damrose
QA Contact:	Florian Best

URL:
Keywords:	interim-2

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2015-10-23 15:45 CEST by Erik Damrose
Modified:	2015-11-17 12:12 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2015-10-23 15:45:10 CEST

listener/univention-saml-simplesamlphp-configuration.py writes the 'attributes' value unconditionally into a SP metadata config file, while adding enabledServiceProviderIdentifier to the assertion, leaking it to the SP.

If 'attributes' is an empty array, so the NameID attribute is not in the list of simplesamlLDAPattributes, it will not be set in the assertion, and the user can not be identified by the SP.

The authproc check in the sp metadata definition is to late (60). Lowering it to 10 allows the check of the enabledServiceProviderIdentifier.

Only write 'attributes' if the checkbox is true, and automatically add the nameid attribute if the user forgot to do it.

Comment 1 Erik Damrose

2015-10-23 15:49:38 CEST

r64803 univention-saml 3.0.24-8.81.201510231548
interim bug, no changelog

Comment 2 Florian Best

2015-10-26 09:59:44 CET

I did this on purpose. You have to always write the attributes 'enabledServiceProviderIdentifier' and the name-id attribute to the list of attributes. Otherwise one must activate the checkbox manually which is not explained there.

Comment 3 Erik Damrose

2015-10-26 12:57:54 CET

(In reply to Florian Best from comment #2)
> I did this on purpose. You have to always write the attributes
> 'enabledServiceProviderIdentifier' and the name-id attribute to the list of
> attributes.

But adding it there leaks them to the SP. If the checkbox is ticked only the NameID Attribute is required, which is now added by default with my change.
enabledServiceProviderIdentifier has to always be read for each user, but that is configured in the univention-ldap authsource via UCR saml/idp/ldap/get_attributes

> Otherwise one must activate the checkbox manually which is not explained there.

The checkbox states that ticking it allows the transmissions of ldap attributes to the SP, and the attributes are added in the textboxes below.

Comment 4 Florian Best

2015-11-03 13:58:48 CET

OK: attributes are only send if allowed
OK: the required attributes are accessible
OK: configuration file is correct
interim-version - no changelog required

Comment 5 Stefan Gohmann

2015-11-17 12:12:35 CET

UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".