Univention Bugzilla – Bug 39627
Regressions in Listener breaks existing SP configs, leaks attribute to SP
Last modified: 2015-11-17 12:12:35 CET
listener/univention-saml-simplesamlphp-configuration.py writes the 'attributes' value unconditionally into a SP metadata config file, while adding enabledServiceProviderIdentifier to the assertion, leaking it to the SP. If 'attributes' is an empty array, so the NameID attribute is not in the list of simplesamlLDAPattributes, it will not be set in the assertion, and the user can not be identified by the SP. The authproc check in the sp metadata definition is to late (60). Lowering it to 10 allows the check of the enabledServiceProviderIdentifier. Only write 'attributes' if the checkbox is true, and automatically add the nameid attribute if the user forgot to do it.
r64803 univention-saml 3.0.24-8.81.201510231548 interim bug, no changelog
I did this on purpose. You have to always write the attributes 'enabledServiceProviderIdentifier' and the name-id attribute to the list of attributes. Otherwise one must activate the checkbox manually which is not explained there.
(In reply to Florian Best from comment #2) > I did this on purpose. You have to always write the attributes > 'enabledServiceProviderIdentifier' and the name-id attribute to the list of > attributes. But adding it there leaks them to the SP. If the checkbox is ticked only the NameID Attribute is required, which is now added by default with my change. enabledServiceProviderIdentifier has to always be read for each user, but that is configured in the univention-ldap authsource via UCR saml/idp/ldap/get_attributes > Otherwise one must activate the checkbox manually which is not explained there. The checkbox states that ticking it allows the transmissions of ldap attributes to the SP, and the attributes are added in the textboxes below.
OK: attributes are only send if allowed OK: the required attributes are accessible OK: configuration file is correct interim-version - no changelog required
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".