First Last Prev Next    This bug is not in your last search results.
Bug 49687 - Allow overwrite of SingleSignOnService and SingleLogoutService
Allow overwrite of SingleSignOnService and SingleLogoutService
Status: NEW
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-19 10:40 CEST by Valentin Heidelberger
Modified: 2019-06-19 11:34 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Patch to overwrite SingleSignOnService and SingleLogoutService via UCR (1.00 KB, patch)
2019-06-19 10:40 CEST, Valentin Heidelberger 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Heidelberger univentionstaff 2019-06-19 10:40:24 CEST 
Created attachment 10070 [details]
Patch to overwrite SingleSignOnService and SingleLogoutService via UCR

I encountered the following problem at a customer:

The customer wanted to have their IdP accessible via an external dns name (portal.domain.de). portal.domain.de leads to a reverse proxy which gets everything below /simplesamlphp and /univention (except /univention/management) from an UCS backup. I then configured the KB article on the backup (and the UMC, being a SP, on the master accordingly):

https://help.univention.com/t/configure-saml-single-sign-on-as-single-server-solution/6681

Strangely the metadata provided by the IdP served wrong URLs to SingleSignOnService and SingleLogoutService. They either contained just the internal hostname of the system or one of it's IP addresses. It seemed they corresponding UCR vars where ignored or overwritten somewhere along the way. We didn't have the time to actually debug the issue further because the customer needed the externally reachable IdP quickly but proceeded to "overwrite" said values by setting them manually in the template 00_saml20-idp-hosted.php

For such cases it would be nice to be able to overwrite them via UCR instead of having to change the template. Of course it should only be a temporary workaround while debugging the actual issue.

Attached is a patch for the template.
Comment 1 Erik Damrose univentionstaff 2019-06-19 10:50:06 CEST 
I think it would also work if one changes the IdP entityID via UCR saml/idp/entityID to contain the external dns name.

If that does not work i would try to make the 'host' variable configurable, it is currently hardcoded to '__DEFAULT__'
Comment 2 Valentin Heidelberger univentionstaff 2019-06-19 11:34:21 CEST 
(In reply to Erik Damrose from comment #1)
> I think it would also work if one changes the IdP entityID via UCR
> saml/idp/entityID to contain the external dns name.

That didn't do the trick unfortunately, which is why we hardcoded it.
 
> If that does not work i would try to make the 'host' variable configurable,
> it is currently hardcoded to '__DEFAULT__'

That's probably a better approach. I'm not sure where "host" is used besides SingleSignOnService and SingleLogoutService, though.
First Last Prev Next    This bug is not in your last search results.