Univention Bugzilla – Bug 50510
Make it possible to configure multiple entity IDs for one IdP
Last modified: 2019-11-27 14:20:10 CET
Make it possible to configure multiple entity IDs for one IdP This is a feature request needed for bug 50324. Azure AD only supports entity IDs for IdPs that are globally unique. You are not allowed to use the same IdP entity ID on two or more domains (this rule even applies if these belong to different customers!). We want to support to connect one UCS domain to multiple Azure Domains. That means our saml IdP must have one unique entity ID for each Azure Domain.
Branch: juern/multi-ident [juern/multi-ident 0b62478ce1] Bug #50510: Make it possible to configure multiple entity IDs for one IdP [juern/multi-ident 3a16412c9e] Bug #50510: Add 82_saml/44_idp_eintityID_supplement
OK: Configure several more IdPs via UCR saml/idp/entityID/supplement/<identifier>=true + apache2 reload OK: Get individual IdP metadata from https://$(ucr get ucs/server/sso/fqdn)/simplesamlphp/<identifier>/saml2/idp/metadata.php ~ Testcase did fail in my case *** START TIME: 2019-11-19 18:49:34 *** Create saml/idp/entityID/supplement/second_eID File: /etc/apache2/sites-available/univention-saml.conf Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php File: /etc/simplesamlphp/config.php Module: ox-config supplement_entityID: "https://ucs-sso.mydomain.intranet/simplesamlphp/second_eID/saml2/idp/metadata.php" Setting umc/saml/idp-server Module: setup_saml_sp Try to download idp metadata (1/60) % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed ^M 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0^M100 5108 0 5108 0 0 63602 0 --:--:-- --:--:-- --:--:-- 63850 Reloading univention-management-console-web-server configuration (via systemctl): univention-management-console-web-server.service. Multifile: /etc/pam.d/univention-management-console File: /etc/ldap/sasl2/slapd.conf Module: ox-config GET SAML login form at: https://ucsmaster.mydomain.intranet/univention/saml/ WARN: could not parse XML/HTML: not well-formed (invalid token): line 17, column 3127 ### FAIL ### Problem while reaching login dialog But maybe that error did occur because 82_saml/30_umc_cert_chain failed earlier. REOPENing in any case for branch merge, we also need documentation for this feature. We can create an additional bug for that if required.
[4.4-2 bcccfc5d3e] Bug #50510: Move simplesamlphp-modules/ [4.4-2 8d4447c4ce] Bug #50510: Make it possible to configure multiple entity IDs for one IdP [4.4-2 3030e9472a] Bug #50510: Add 82_saml/44_idp_eintityID_supplement [4.4-2 ec1bd5d2d4] Bug #50510: yaml [4.4-2 57797e2494] Bug #50510: Merge branch 'juern/multi-ident' into 4.4-2 [4.4-2 90761c8e88] Bug #50510: Revert python-notifier change [4.4-2 07d618fd98] Bug #50510: yaml2 Package: univention-saml Version: 6.0.2-15A~4.4.0.201911201731 Branch: ucs_4.4-0 Scope: errata4.4-2
Documentation bug: #50523 univention-saml 6.0.2-15A~4.4.0.201911201731 OK: Configure several more IdPs via UCR saml/idp/entityID/supplement/<identifier>=true + apache2 reload OK: Get individual IdP metadata from https://$(ucr get ucs/server/sso/fqdn)/simplesamlphp/<identifier>/saml2/idp/metadata.php OK: yaml Verified
All saml test failed in the last jenkins run, is this related to this bug?
REQUEST_URI is undefined outside the apache config :( 20.11.19 23:41:02.785 LISTENER ( ERROR ) : Failed to create /etc/simplesamlphp/metadata.d/https:__master090.autotest090.local_univention_saml_metadata.php: PHP Fatal error: Uncaught ErrorException: Undefined index: REQUEST_URI in /etc/simplesamlphp/config.php:52 Stack trace: #0 /etc/simplesamlphp/config.php(52): {closure}(8, 'Undefined index...', '/etc/simplesaml...', 52, Array) #1 /usr/share/simplesamlphp/lib/SimpleSAML/Configuration.php(124): require('/etc/simplesaml...') #2 /usr/share/simplesamlphp/lib/SimpleSAML/Configuration.php(252): SimpleSAML_Configuration::loadFromFile('/usr/share/simp...', true) #3 /usr/share/simplesamlphp/lib/SimpleSAML/Configuration.php(336): SimpleSAML_Configuration::getConfig() #4 /usr/share/simplesamlphp/lib/SimpleSAML/Logger.php(363): SimpleSAML_Configuration::getInstance() #5 /usr/share/simplesamlphp/lib/SimpleSAML/Logger.php(403): SimpleSAML\Logger::createLoggingHandler('SimpleSAML\\Logg...') #6 /usr/share/simplesamlphp/lib/SimpleSAML/Logger.php(179): SimpleSAML\Logger::log(4, 'The class or in...') #7 /usr/share/simplesamlphp/lib/_autoload_modules.php(68): SimpleSAML\Logger::warning('The class or in...') #8 [internal function]: temporaryLoader( in /etc/simplesamlphp/config.php on line 52
Package: univention-saml Version: 6.0.2-17A~4.4.0.201911251558 Branch: ucs_4.4-0 Scope: errata4.4-2 [4.4-2 90761c8e88] Bug #50510: Revert python-notifier change [4.4-2 07d618fd98] Bug #50510: yaml2 [4.4-2 358421b7d4] Bug #50510: changelog ucs-test [4.4-2 514ff89cdb] Bug #50510: Fix creation of service provider config [4.4-2 63ba7f3dc3] Bug #50510: fix typo [4.4-2 c69a22d4ba] Bug #50510: fix wrong description [4.4-2 17cc1eb364] Bug #50510: Be more verbose for listener problems [4.4-2 635f4d3ed6] Bug #50510: Reset IDP metadata used by the umc [4.4-2 8549e3f5c6] Bug #50510: changelog ucs-test [4.4-2 c75bfbd4a2] Bug #50510: fix 44_idp_entityID_supplement (again) [4.4-2 c3f0a68aed] Bug #50510: ensure the HOST header has the same case as in the idp config [4.4-2 b0090a9a65] Bug #50510: yaml TLDR The important commits for univention-saml are: [4.4-2 514ff89cdb] Bug #50510: Fix creation of service provider config [4.4-2 c3f0a68aed] Bug #50510: ensure the HOST header has the same case as in the idp config The first commit fixes that "$_SERVER['REQUEST_URI']" is not set during service provider config creation. The second commit fixes that the hostname which is used to choose the idp config was case sensitive.
Small doc changes on branch (ucr var needs to be set on backups as well): juern/bug50510-doc
Documentation is okay, i merged it at 71e3c9f3 univention-saml 6.0.2-17A~4.4.0.201911251558 OK: Fix creation of service provider config OK: ensure the HOST header has the same case as in the idp config OK: ucs-test OK~ yaml (fix in 3803329)
<http://errata.software-univention.de/ucs/4.4/380.html>