Univention Bugzilla – Bug 53432
SAML IdP: Group member comparison should be case insensitive
Last modified: 2022-12-19 13:25:04 CET
A group GRP_teacher was created in a sync mode AD. The group was correct synchronised to UCS LDAP and also correct placed in /etc/simplesamlphp/serviceprovider_enabled_groups.json but in the users memberof list it was lowercased. The comparison of the group names should be case insensitive in SAML to prevent authentication rejects caused by case differences.
Another school customer is affected: Teachers and school administrators cannot use certain services because UCS@school components and/or customer components regularly modify the memberOf attribute with the wrong case, causing SAML authentication to fail due to missing permissions. The approach here is now to modify simplesamlphp so that it is possible to specify in the configuration which attributes are to be case-insensitively compared.
Created attachment 10812 [details] patch for simplesamlphp
Patch for our configuration is: fbest/53432-4.4-case-insensitive-config
Thanks for the patches Added 10_add_case_insensitive_comparison_for_ldap_attributes.quilt svn Revision 19415 + 19416 simplesamlphp 1.16.3-1+deb10u1A~4.4.0.202108301755 7cf1a87b Add case insensitive comparisons for LDAP attributes to service provider config univention-saml 6.0.3-16A~4.4.0.202108301825 beb1e90aa3 yaml
Verified: * Functional test pre/post-fix * Umlauts work too (like in test-group: Møtörhead Fans) * SVN patch, PHP-Code, listener resync in postinst, debian/changelog and advisories * No documentation change required
<https://errata.software-univention.de/#/?erratum=4.4x1040> <https://errata.software-univention.de/#/?erratum=4.4x1041>