Univention Bugzilla – Bug 49687
Allow overwrite of SingleSignOnService and SingleLogoutService
Last modified: 2019-06-19 11:34:21 CEST
Created attachment 10070 [details] Patch to overwrite SingleSignOnService and SingleLogoutService via UCR I encountered the following problem at a customer: The customer wanted to have their IdP accessible via an external dns name (portal.domain.de). portal.domain.de leads to a reverse proxy which gets everything below /simplesamlphp and /univention (except /univention/management) from an UCS backup. I then configured the KB article on the backup (and the UMC, being a SP, on the master accordingly): https://help.univention.com/t/configure-saml-single-sign-on-as-single-server-solution/6681 Strangely the metadata provided by the IdP served wrong URLs to SingleSignOnService and SingleLogoutService. They either contained just the internal hostname of the system or one of it's IP addresses. It seemed they corresponding UCR vars where ignored or overwritten somewhere along the way. We didn't have the time to actually debug the issue further because the customer needed the externally reachable IdP quickly but proceeded to "overwrite" said values by setting them manually in the template 00_saml20-idp-hosted.php For such cases it would be nice to be able to overwrite them via UCR instead of having to change the template. Of course it should only be a temporary workaround while debugging the actual issue. Attached is a patch for the template.
I think it would also work if one changes the IdP entityID via UCR saml/idp/entityID to contain the external dns name. If that does not work i would try to make the 'host' variable configurable, it is currently hardcoded to '__DEFAULT__'
(In reply to Erik Damrose from comment #1) > I think it would also work if one changes the IdP entityID via UCR > saml/idp/entityID to contain the external dns name. That didn't do the trick unfortunately, which is why we hardcoded it. > If that does not work i would try to make the 'host' variable configurable, > it is currently hardcoded to '__DEFAULT__' That's probably a better approach. I'm not sure where "host" is used besides SingleSignOnService and SingleLogoutService, though.