Bug 48925 - Make it possible to configure a external SAML IDP for UMC-Webserver
Make it possible to configure a external SAML IDP for UMC-Webserver
Status: RESOLVED MOVED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Florian Best
UMC maintainers
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-08 13:47 CET by Jürn Brodersen
Modified: 2021-11-12 14:06 CET (History)
3 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments
patch (git:fbest/48925-multiple-saml-idp-server) (6.45 KB, patch)
2020-11-19 21:28 CET, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jürn Brodersen univentionstaff 2019-03-08 13:47:47 CET
UMC with saml can't handle unknown users

In case an external IdP is configured for the umc, it could happen that the IdP accepts a user which is not known to the ucs domain. In that case only a generic error is shown to check management-console-server.log.

The logged error is:
AUTH        ( ERROR   ) : PAM: authentication error: ('Benutzer bei zu Grunde liegendem Authe
ntifizierungsmodul nicht bekannt', 10)
AUTH        ( ERROR   ) : The authentication has failed, please login again.

It would be nice to have a better error message have the possibility to logout from that account through the umc.
Comment 1 Florian Best univentionstaff 2019-03-08 13:49:45 CET
Since when do we support external IDP's? That's very new to me.
Comment 2 Jürn Brodersen univentionstaff 2019-03-08 13:55:32 CET
(In reply to Florian Best from comment #1)
> Since when do we support external IDP's? That's very new to me.

Ok lets call it a feature request.
Comment 3 Florian Best univentionstaff 2019-03-08 13:57:32 CET
(In reply to Jürn Brodersen from comment #2)
> (In reply to Florian Best from comment #1)
> > Since when do we support external IDP's? That's very new to me.
> 
> Ok lets call it a feature request.
So, do you want to configure 2 IDP's in the UMC-Webserver or only one external?
Comment 4 Jürn Brodersen univentionstaff 2019-03-08 14:01:20 CET
(In reply to Florian Best from comment #3)
> (In reply to Jürn Brodersen from comment #2)
> > (In reply to Florian Best from comment #1)
> > > Since when do we support external IDP's? That's very new to me.
> > 
> > Ok lets call it a feature request.
> So, do you want to configure 2 IDP's in the UMC-Webserver or only one
> external?

One external, and as long as the users exists in the domain that is already working fine.
Comment 5 Florian Best univentionstaff 2020-11-19 21:28:56 CET
Created attachment 10560 [details]
patch (git:fbest/48925-multiple-saml-idp-server)

Attached is a patch which makes this possible.
By accessing /univention/saml/?idp=$IDP_URL&external" one gets redirected to the external IDP and gets redirected back.
All requests to the UMC-Server are then done as anonymous user.
The "get/session-info" request also returns the attributes. We (sh)could add another endpoint for this?!
Currently the UMC-Webserver only requires the attribute uid. If one needs more one can set UCRv 'umc/saml/required_attributes' / 'umc/saml/optional_attributes'.
E.g. "memberOf" for the groups.

One use case would be the Portal server, which could then query the groups from there instead of a local json file.

Question: is anything more expected here in the feature request?