Univention Bugzilla – Bug 47241
Configure SAML Single Sign-On as single server solution not working
Last modified: 2018-08-01 14:54:40 CEST
Configure SAML Single Sign-On as single server solution not working https://help.univention.com/t/configure-saml-single-sign-on-as-single-server-solution/6681 in univention-saml.conf: RewriteRule .* - [E=HTTP_AUTHORIZATION:%%{HTTP:Authorization},L] The "L" prevents further rewrites which breaks static served by apache like languages.json
A customer reported the following workaround works in their environment: Enclose the Rewrite* Statenents at the bottom of /etc/apache2/sites-available/univention-saml.conf (or its template) with the simpplesamlphp directory, so it looks like this: <Directory /simplesamlphp> RewriteEngine on RewriteCond %%{HTTP:Authorization} !^$ RewriteRule .* - [E=HTTP_AUTHORIZATION:%%{HTTP:Authorization},L] </Directory>
I've removed the flags 'School Customer affected' and 'Enterprise Customer affected' because a ticket or a customer ID is not set.
*** Bug 46563 has been marked as a duplicate of this bug. ***
ba960c85 When operating without a separate VirtualHost for single sign-on, a rewrite rule in the scope of other config rules limited execution of further rewrite rules. This fix restricts the rewrite rule to the single sign-on directory. univention-saml 5.0.4-20A~4.3.0.201806291057 c6827a7 yaml I set the yaml options to release the fix for 4.3-0 and 4.3-1. When released, we can remove the preup update blocker introduced by bug 46605
/etc/apache2/sites-enabled/univention-saml.conf:42: <Directory> was not closed.
ebc1d612 Fix typo in apache config yaml updated
--- mirror/ftp/4.3/unmaintained/4.3-1/source/univention-saml_5.0.4-19A~4.3.0.201805241344.dsc +++ apt/ucs_4.3-0-errata4.3-1/source/univention-saml_5.0.4-21A~4.3.0.201807041308.dsc @@ -1,6 +1,11 @@ -5.0.4-19A~4.3.0.201805241344 [Thu, 24 May 2018 13:44:20 +0200] Univention builddaemon <buildd@univention.de>: +5.0.4-21A~4.3.0.201807041308 [Wed, 04 Jul 2018 13:08:29 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +5.0.4-21 [Wed, 04 Jul 2018 13:06:56 +0200] Erik Damrose <damrose@univention.de>: + + * Bug #47241: Fix apache configuration when operating without a separate + VirtualHost for single sign-on 5.0.4-19 [Thu, 24 May 2018 13:43:10 +0200] Felix Botner <botner@univention.de>: <http://10.200.17.11/4.3-1/#8398688827871475628>
Looks good. But saml/idp/authsource=univention-negotiate doesn't work with this configuration for me.
Config adapted. Only forward HTTP_AUTHORIZATION header to Location /saml-bin. 0c0be64 Fix config to allow SAML+Kerberos login 4d33ac6 yaml Package: univention-saml Version: 5.0.4-24A~4.3.0.201807231740 The saml+kerberos configuration has to be adapted and a new SPN for the external fqdn has to be added. Try with these steps. If it works, the SDB article https://help.univention.com/t/6681 will be extended after this feature is published (make sure univention-negotiate is activated: ucr set saml/idp/authsource=univention-negotiate) spn_account_name="ucs-sso" servicePrincipalName="HTTP/$FQDN" samba-tool spn add "$servicePrincipalName" "$spn_account_name" spn_account_name_password=$(</etc/simplesamlphp/ucs-sso-kerberos.secret) msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb \ samAccountName="$spn_account_name" msDS-KeyVersionNumber \ | sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p') ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF dn: samAccountName=$spn_account_name,CN=Principals changetype: modify replace: secret secret: $spn_account_name_password - replace: msDS-KeyVersionNumber msDS-KeyVersionNumber: $msdsKeyVersion - add: servicePrincipalName servicePrincipalName: $servicePrincipalName %EOF cp /var/lib/samba/private/simplesamlphp.keytab /etc/simplesamlphp.keytab Note: The domainname for the internal and external domain have to be equal, i.e. equal the kerberos realm. Configuring saml+kerberos in any other scenario is out of scope here
What I tested Saml with and without samba using the sdb article. The steps in comment 9 are working for me. Kerberos without samba isn't working with the sdb article. As discussed that is not a blocker. -> Verified
<http://errata.software-univention.de/ucs/4.3/159.html>