Univention Bugzilla – Bug 46438
GSuite service provider metadata configuration should be replicated to all ucs-sso systems
Last modified: 2018-08-21 10:08:48 CEST
see also Bug #45537 The SAML SSO metadata for the gsuite service provider (/etc/simplesamlphp/metadata.include/univention-google-apps-for-work.php) is only present on the UCS Master. When using the "ucs-sso" DNS record to perform a SAML-login, the UCS Master *or* one of the existing UCS Backups delivers the login page. Unfortunately, all UCS Backups will complain that the SAML metadata configuration is missing and show a simplesamlphp error message about metadata not found.
Could the relevant data be stored in LDAP and a listener module write the required files on master & backups? I think I'd prefer that over the way SSL-certificates are distributed.
Workaround is to copy /etc/simplesamlphp/metadata.include/univention-google-apps-for-work.php to all Backups (or systems registered for ucs-sso) and include the file in the template for saml20-sp-remote.php
f226d52f * Replicate SAML metadata to all SSO servers by storing it in LDAP * Store values for UCRv saml/idp/ldap/get_attributes for the app in LDAP Package: univention-google-apps Version: 2.0.0-6A~4.3.0.201807191630 Branch: ucs_4.3-0 Scope: univention-google-apps
Please make univention-google-apps depend on "univention-saml (>= 5.0.4-23)". It may even have to be "Predepend", so that schema, listener module etc have all been configured... not sure.
(In reply to Daniel Tröder from comment #4) > Please make univention-google-apps depend on "univention-saml (>= 5.0.4-23)". In this case, you need to add the univention-saml package into the app repository. Otherwise, the update could fail.
(In reply to Stefan Gohmann from comment #5) > (In reply to Daniel Tröder from comment #4) > > Please make univention-google-apps depend on "univention-saml (>= 5.0.4-23)". > > In this case, you need to add the univention-saml package into the app > repository. Otherwise, the update could fail. Could a app setting be used instead? The app settings allow to depend on a certain UCS version. Could a patch (errata) level also be specified?
I will add the dependency, and in addition add the required errataversion to the app metadata. That way, the update for the app will only be installable once the u-saml package is updated
78ad0b5b Add dependency to required univention-saml version univention-google-apps 2.0.0-7A~4.3.0.201807241145 I think it is ok to add it as Depends, not Pre-Depends. I will add the required erratalevel to the new app version. That way, the package will have to be installed before the app update is possible.
reopen: the app update is not handled correctly, the metadata will not be replicated.
5d1b2893 Fix package update and metadata replication Small refactoring: Registering the simplesaml SP config was moved to a separate class method to allow calling only this functionality from multiple places. It is now called on package update to move the saml config into ldap. Also fixed the path to the metadata template file. univention-google-apps 2.0.0-9A~4.3.0.201807301357
Please move update_saml_configuration code from 40univention-google-apps.inst into separate script.
Created attachment 9621 [details] move update_saml_configuration code into separate script
41d46711 Move metadata generation to separate script univention-google-apps 2.0.0-10A~4.3.0.201808081617 App updated
OK: metadata is replicated
App Update released