First Last Prev Next    This bug is not in your last search results.
Bug 50603 - Enable signed Single Logouts
Enable signed Single Logouts
Status: VERIFIED DUPLICATE of bug 49305
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-05 17:39 CET by Valentin Heidelberger
Modified: 2020-01-28 09:18 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Patch by fbest for signed logouts in saml/univention-saml/listener/univention-saml-simplesamlphp-configuration.py (775 bytes, patch)
2019-12-05 17:39 CET, Valentin Heidelberger 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Heidelberger univentionstaff 2019-12-05 17:39:54 CET 
Created attachment 10254 [details]
Patch by fbest for signed logouts in saml/univention-saml/listener/univention-saml-simplesamlphp-configuration.py

Currently, it's not possible to sign single logouts with the integration of simplesamlphp in UCS.
At least Open-Xchange requires signed single logouts, it just throws an internal server error if the signature is missing. In /var/log/open-xchange/open-xchange.log.0 the following exception can be found:

2019-12-04T14:58:34,671+0100 ERROR [OXWorker-0000088]
com.openexchange.saml.http.SingleLogoutService.handleRequest(SingleLogoutService.java:106)
Error while handling SAML login response
[...]
com.openexchange.exception.OXException: SAML-0007 Categories=ERROR
Message='SAML message validation failed: The response is digitally
signed but its signature cannot be verified. (Response
'_088a4e807c47db283aca9a4e96557951242f07c60f' is not signed via request
URI)'


Florian Best wrote a patch for the listener module univention-saml-simplesamlphp-configuration.py. It's attached and fixes the problem. 

We should allow users to enable signed logouts per service provider object using UDM/UMC.
Comment 1 Michael Grandjean univentionstaff 2019-12-19 13:42:06 CET 

*** This bug has been marked as a duplicate of bug 49305 ***
Comment 2 Florian Best univentionstaff 2019-12-19 13:45:10 CET 
Yes, duplicate.
First Last Prev Next    This bug is not in your last search results.