Univention Bugzilla – Bug 48473
The SAML IdP should be available on UCS member server
Last modified: 2020-07-06 16:37:10 CEST
Feedback from an app provider: Currently, the SAML identity provider runs on a UCS domain controller. For access from the Internet, it is required that the domain controller is exposed to the Internet. This regularly causes frowning from customers. It should be possible to make the IdP available on a member server.
Doing this requires the DC Slave or whatever to simply proxy all requests to the DC Master. For security reasons the IDP must not be installed on other systems than a DC Master.
*** Bug 47908 has been marked as a duplicate of this bug. ***
I suggest as a solution that we provide a debian package univention-saml-idp-proxy which then can act as the IDP and forwards all requests to /simplesamlphp/ to the DC Master. @Profession services: You already have such a configuration for customer projects, could you paste the essentials part of it?