Univention Bugzilla – Bug 48925
Make it possible to configure a external SAML IDP for UMC-Webserver
Last modified: 2021-11-12 14:06:00 CET
UMC with saml can't handle unknown users In case an external IdP is configured for the umc, it could happen that the IdP accepts a user which is not known to the ucs domain. In that case only a generic error is shown to check management-console-server.log. The logged error is: AUTH ( ERROR ) : PAM: authentication error: ('Benutzer bei zu Grunde liegendem Authe ntifizierungsmodul nicht bekannt', 10) AUTH ( ERROR ) : The authentication has failed, please login again. It would be nice to have a better error message have the possibility to logout from that account through the umc.
Since when do we support external IDP's? That's very new to me.
(In reply to Florian Best from comment #1) > Since when do we support external IDP's? That's very new to me. Ok lets call it a feature request.
(In reply to Jürn Brodersen from comment #2) > (In reply to Florian Best from comment #1) > > Since when do we support external IDP's? That's very new to me. > > Ok lets call it a feature request. So, do you want to configure 2 IDP's in the UMC-Webserver or only one external?
(In reply to Florian Best from comment #3) > (In reply to Jürn Brodersen from comment #2) > > (In reply to Florian Best from comment #1) > > > Since when do we support external IDP's? That's very new to me. > > > > Ok lets call it a feature request. > So, do you want to configure 2 IDP's in the UMC-Webserver or only one > external? One external, and as long as the users exists in the domain that is already working fine.
Created attachment 10560 [details] patch (git:fbest/48925-multiple-saml-idp-server) Attached is a patch which makes this possible. By accessing /univention/saml/?idp=$IDP_URL&external" one gets redirected to the external IDP and gets redirected back. All requests to the UMC-Server are then done as anonymous user. The "get/session-info" request also returns the attributes. We (sh)could add another endpoint for this?! Currently the UMC-Webserver only requires the attribute uid. If one needs more one can set UCRv 'umc/saml/required_attributes' / 'umc/saml/optional_attributes'. E.g. "memberOf" for the groups. One use case would be the Portal server, which could then query the groups from there instead of a local json file. Question: is anything more expected here in the feature request?