Bug 49485 - Make subnet filtering configurable for Kerberos-Auth in SAML-IdP
Make subnet filtering configurable for Kerberos-Auth in SAML-IdP
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Mac OS X 10.1
: P5 normal (vote)
: UCS 4.4-2-errata
Assigned To: Florian Best
Julia Bremer
:
Depends on:
Blocks: 50533
  Show dependency treegraph
 
Reported: 2019-05-16 09:41 CEST by Michel Smidt
Modified: 2019-11-22 10:18 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michel Smidt univentionstaff 2019-05-16 09:41:29 CEST
Make subnet filtering configurable for Kerberos-Auth in SAML-IdP in the /etc/simplesamlphp/authsources.php
See: https://github.com/simplesamlphp/simplesamlphp/blob/simplesamlphp-1.14/modules/negotiate/docs/negotiate.txt#L149
Comment 1 Erik Damrose univentionstaff 2019-05-16 10:51:33 CEST
The effort to add this is low, just add a UCRv that configures a line in
/etc/univention/templates/files/etc/simplesamlphp/01authsources-negotiate.php

'subnet' => array('127.0.0.0/16','192.168.0.0/16'),
Comment 2 Michel Smidt univentionstaff 2019-09-09 12:07:07 CEST
Customer asked for it because it would be workaround for Bug #47242 and blocks the further rollout of schools.
Comment 3 Florian Best univentionstaff 2019-10-11 13:35:35 CEST
Patch in branch git:fbest/49485-saml-negotiate-filter-subnets.

+[saml/idp/negotiate/filter-subnets]
+Description[de]=Beschränkt die Anmeldung per Kerberos / HTTP Negotiate auf Anfragen aus dem angegebenen Subnetz. Der Wert ist eine kommaseparierte Liste von Netzwerken (z.B.: 127.0.0.0/16,192.168.0.0/16).
+Description[en]=Restrict single sign on via Kerberos / HTTP negotiate only to clients requesting from the specified subnet. The value is a comma spearated list of networks (example: 127.0.0.0/16,192.168.0.0/16).
+Type=str
+Categories=saml
Comment 4 Florian Best univentionstaff 2019-11-05 13:54:09 CET
univention-saml (6.0.2-9)
0d3489f1a3f4 | Bug #49485: allow to restrict negotiate authentication to certain IP networks

univention-saml.yaml
0d3489f1a3f4 | Bug #49485: allow to restrict negotiate authentication to certain IP networks
Comment 5 Florian Best univentionstaff 2019-11-06 08:07:26 CET
The package didn't declare a build dependency to python-support and therefore the UDM handler was not correctly installed.
This let all tests fail / not being executed:

23:49:25 [master091]   . utils.sh; assert_join
23:49:56 
23:49:56  stdout: Warning: 'univention-saml' is not configured.
23:49:56 Warning: 'univention-management-console-web-server' is not configured.
23:49:56 Error: Not all install files configured: 2 missing
23:49:56 Warning: 'univention-saml' is not configured.
23:49:56 Warning: 'univention-management-console-web-server' is not configured.
23:49:56 Error: Not all install files configured: 2 missing
23:49:56 Warning: 'univention-saml' is not configured.
23:49:56 Warning: 'univention-management-console-web-server' is not configured.
23:49:56 Error: Not all install files configured: 2 missing

join.log:
Object created: cn=serviceprovider,cn=custom attributes,cn=univention,dc=AutoTest091,dc=local
unknown module saml/serviceprovider.

Available Modules are:
…
__JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst

Fixed in:
univention-saml (6.0.2-12)
4b48e227b564 | Bug #49485: add missing build dependency to python-support
Comment 6 Julia Bremer univentionstaff 2019-11-14 18:19:53 CET
UCR-Variable sets /etc/simplesamlphp/authsources.php : OK
UCR-Variable description: OK
Only UCS Clients in set subnet can use Kerberos-Auth in Saml OK
Only Windows Clients "" : OK
Yaml: OK
missing built dependecy added:OK 


Verified
Comment 7 Arvid Requate univentionstaff 2019-11-20 13:26:51 CET
<http://errata.software-univention.de/ucs/4.4/358.html>