Univention Bugzilla – Bug 51315
saml/univention-saml: migrate to python3
Last modified: 2021-05-25 16:02:50 CEST
The UMC module of saml/univention-saml has to be python3-compatible.
univention-saml has been migrated to Python 3 in: univention-saml (7.0.2-1) b61b7235c4a5 | Bug #51315: fix print syntax in UCR conffile ee3148964d69 | fixup! Bug #51315: migrate SAML listener to Python 3 877244a3add4 | Bug #51315: migrate SAML listener to Python 3 8f68e5d2bd4d | Bug #51315: fix python 3 issues changelog-5.0-0.xml ab46c15bca35 | Changelog Bug #51315
I have tested SAML Identity Provider Module in UMC. If I activate the https://sp.testshib.org/shibboleth-sp service provider I got the following output on https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/metadata.php that not seems to be valid: <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/metadata.php"> <script/> <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIFgDCCBGigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBzTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEbMBkGA1UEChMSc2xvYmluZ2VyLmludHJhbmV0MSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxOjA4BgNVBAMTMVVuaXZlbnRpb24gQ29ycG9yYXRlIFNlcnZlciBSb290IENBIChJRD1UUFlsenR5VSkxJTAjBgkqhkiG9w0BCQEWFnNzbEBzbG9iaW5nZXIuaW50cmFuZXQwHhcNMjEwMzExMDkyODU0WhcNMjYwMzEwMDkyODU0WjCBtjELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEbMBkGA1UEChMSc2xvYmluZ2VyLmludHJhbmV0MSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxIzAhBgNVBAMTGnVjcy1zc28uc2xvYmluZ2VyLmludHJhbmV0MSUwIwYJKoZIhvcNAQkBFhZzc2xAc2xvYmluZ2VyLmludHJhbmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkiSx336zhBXJmMVO4ziOqyRxxbLK1c7slPt2fkixk1m69Y8e48Hd789dHO/V1LzjZFVBQGF/bR/1OJNp7AAmpLiJbnPeJXFTHRUiqqce/Q1DoPlArycUWCeEH8bExR+luRou5Z8Kyeq0HIT6hJeGrECfyStlNkeRDBEvM66Ms70BKUf4odLv05NQ6W6mcmEn8pGbCP5PJAZQdoKmxLtznkSWEfTBagMXzCMwLTv1HxPyuVVSUZor4CyLd2BDSp8kkI1uZFX+S89Mx6sXSmmIahwVjluYOKTV5BB7onltZQIaSam3sPr/xXEWdHO26QtY/EfJl6uEe5aESkiw3F4zwIDAQABo4IBfjCCAXowCQYDVR0TBAIwADAdBgNVHQ4EFgQUlodh6w5mLHrWcP+jG2WiYXNxlC8wggEPBgNVHSMEggEGMIIBAoAUzD6o3q2M3WuRThbaR8NOYiFWOcehgdOkgdAwgc0xCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJERTELMAkGA1UEBxMCREUxGzAZBgNVBAoTEnNsb2Jpbmdlci5pbnRyYW5ldDEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQSAoSUQ9VFBZbHp0eVUpMSUwIwYJKoZIhvcNAQkBFhZzc2xAc2xvYmluZ2VyLmludHJhbmV0ghRFf5AOVWTRRcRxEOQJBdfiKeTzBjALBgNVHQ8EBAMCBeAwLgYDVR0RBCcwJYIadWNzLXNzby5zbG9iaW5nZXIuaW50cmFuZXSCB3Vjcy1zc28wDQYJKoZIhvcNAQELBQADggEBAI7CuvZu0YM5WyO16MxKrkDvhSLMbWqcAai/OB3loT6Dnzfz05GZytehXF6SGURFef/ZjyZ+rNCWS7KryQTat056fLUzuF3x3rvg9qTjjYQEzpmcecio8b1amiCPxdvTkpi71HLxakhtckaChD3iSXsIgFFbLyClNRmqeDBeWPngyVR1HKGS5Hjhnx1YSWsoLo8N+EYE+EjrTCDRBGSo71brRdjJm3HHGHk/0zLhTUGu25juuwSMP13ajR/iRX/UmuhfGCw//Xe4vAZ7calbvWp9TDNEPr04CFrEPcQvtLRuP8gJ5jau7jHazCbB76ucc/DZAao1o/zQzUn/mirSaig=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIFgDCCBGigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBzTELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEbMBkGA1UEChMSc2xvYmluZ2VyLmludHJhbmV0MSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxOjA4BgNVBAMTMVVuaXZlbnRpb24gQ29ycG9yYXRlIFNlcnZlciBSb290IENBIChJRD1UUFlsenR5VSkxJTAjBgkqhkiG9w0BCQEWFnNzbEBzbG9iaW5nZXIuaW50cmFuZXQwHhcNMjEwMzExMDkyODU0WhcNMjYwMzEwMDkyODU0WjCBtjELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEbMBkGA1UEChMSc2xvYmluZ2VyLmludHJhbmV0MSQwIgYDVQQLExtVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIxIzAhBgNVBAMTGnVjcy1zc28uc2xvYmluZ2VyLmludHJhbmV0MSUwIwYJKoZIhvcNAQkBFhZzc2xAc2xvYmluZ2VyLmludHJhbmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzkiSx336zhBXJmMVO4ziOqyRxxbLK1c7slPt2fkixk1m69Y8e48Hd789dHO/V1LzjZFVBQGF/bR/1OJNp7AAmpLiJbnPeJXFTHRUiqqce/Q1DoPlArycUWCeEH8bExR+luRou5Z8Kyeq0HIT6hJeGrECfyStlNkeRDBEvM66Ms70BKUf4odLv05NQ6W6mcmEn8pGbCP5PJAZQdoKmxLtznkSWEfTBagMXzCMwLTv1HxPyuVVSUZor4CyLd2BDSp8kkI1uZFX+S89Mx6sXSmmIahwVjluYOKTV5BB7onltZQIaSam3sPr/xXEWdHO26QtY/EfJl6uEe5aESkiw3F4zwIDAQABo4IBfjCCAXowCQYDVR0TBAIwADAdBgNVHQ4EFgQUlodh6w5mLHrWcP+jG2WiYXNxlC8wggEPBgNVHSMEggEGMIIBAoAUzD6o3q2M3WuRThbaR8NOYiFWOcehgdOkgdAwgc0xCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJERTELMAkGA1UEBxMCREUxGzAZBgNVBAoTEnNsb2Jpbmdlci5pbnRyYW5ldDEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3JhdGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIgUm9vdCBDQSAoSUQ9VFBZbHp0eVUpMSUwIwYJKoZIhvcNAQkBFhZzc2xAc2xvYmluZ2VyLmludHJhbmV0ghRFf5AOVWTRRcRxEOQJBdfiKeTzBjALBgNVHQ8EBAMCBeAwLgYDVR0RBCcwJYIadWNzLXNzby5zbG9iaW5nZXIuaW50cmFuZXSCB3Vjcy1zc28wDQYJKoZIhvcNAQELBQADggEBAI7CuvZu0YM5WyO16MxKrkDvhSLMbWqcAai/OB3loT6Dnzfz05GZytehXF6SGURFef/ZjyZ+rNCWS7KryQTat056fLUzuF3x3rvg9qTjjYQEzpmcecio8b1amiCPxdvTkpi71HLxakhtckaChD3iSXsIgFFbLyClNRmqeDBeWPngyVR1HKGS5Hjhnx1YSWsoLo8N+EYE+EjrTCDRBGSo71brRdjJm3HHGHk/0zLhTUGu25juuwSMP13ajR/iRX/UmuhfGCw//Xe4vAZ7calbvWp9TDNEPr04CFrEPcQvtLRuP8gJ5jau7jHazCbB76ucc/DZAao1o/zQzUn/mirSaig=</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/SingleLogoutService.php"/> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/SSOService.php"/> </md:IDPSSODescriptor> <md:ContactPerson contactType="technical"> <md:GivenName>Administrator</md:GivenName> <md:EmailAddress>root@ucs5master.slobinger.intranet</md:EmailAddress> </md:ContactPerson> </md:EntityDescriptor>
(In reply to Sebastian Lobinger from comment #2) > I have tested SAML Identity Provider Module in UMC. > If I activate the https://sp.testshib.org/shibboleth-sp service provider I > got the following output on > https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/metadata.php > that not seems to be valid: > > <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#" > entityID="https://ucs-sso.slobinger.intranet/simplesamlphp/saml2/idp/ > metadata.php"> > <script/> This is valid. The <script/> tag has been added by your browser. curl -k https://10.200.63.2/simplesamlphp/saml2/idp/metadata.php -H 'Host: ucs-sso.slobinger.intranet' | xmllint --pretty 1 -
verified: - code changes seems plausible - changelog entries exist - tested tested SAML Identity Provider Module in UMC metadata provided by curl -k https://10.200.63.2/simplesamlphp/saml2/idp/metadata.php -H 'Host: ucs-sso.slobinger.intranet' seems valid and no errors in listener .log - activated SP https://ucs5master.slobinger.intranet/univention/saml/metadata and add it to a testgroup, delete the testgroup after that, also no errors in listener.log
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".