First Last Prev Next    This bug is not in your last search results.
Bug 53432 - SAML IdP: Group member comparison should be case insensitive
SAML IdP: Group member comparison should be case insensitive
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-8-errata
Assigned To: Erik Damrose
Arvid Requate
:
Depends on: 53723 55507
Blocks:
  Show dependency treegraph
 
Reported: 2021-06-10 16:37 CEST by Dirk Schnick
Modified: 2022-12-19 13:25 CET (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021052821000235
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+

Attachments
patch for simplesamlphp (1.52 KB, patch)
2021-08-30 13:06 CEST, Florian Best 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Schnick univentionstaff 2021-06-10 16:37:27 CEST 
A group GRP_teacher was created in a sync mode AD. The group was correct synchronised to UCS LDAP and also correct placed in /etc/simplesamlphp/serviceprovider_enabled_groups.json but in the users memberof list it was lowercased.

The comparison of the group names should be case insensitive in SAML to prevent authentication rejects caused by case differences.
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2021-08-30 13:01:32 CEST 
Another school customer is affected: Teachers and school administrators cannot use certain services because UCS@school components and/or customer components regularly modify the memberOf attribute with the wrong case, causing SAML authentication to fail due to missing permissions.

The approach here is now to modify simplesamlphp so that it is possible to specify in the configuration which attributes are to be case-insensitively compared.
Comment 2 Florian Best univentionstaff 2021-08-30 13:06:07 CEST 
Created attachment 10812 [details]
patch for simplesamlphp
Comment 3 Florian Best univentionstaff 2021-08-30 13:11:05 CEST 
Patch for our configuration is: fbest/53432-4.4-case-insensitive-config
Comment 4 Erik Damrose univentionstaff 2021-08-30 18:44:11 CEST 
Thanks for the patches

Added 10_add_case_insensitive_comparison_for_ldap_attributes.quilt
svn Revision 19415 + 19416
simplesamlphp 1.16.3-1+deb10u1A~4.4.0.202108301755

7cf1a87b Add case insensitive comparisons for LDAP attributes to service provider config
univention-saml 6.0.3-16A~4.4.0.202108301825

beb1e90aa3 yaml
Comment 5 Arvid Requate univentionstaff 2021-08-31 11:50:57 CEST 
Verified:
* Functional test pre/post-fix
* Umlauts work too (like in test-group: Møtörhead Fans)
* SVN patch, PHP-Code, listener resync in postinst, debian/changelog and advisories
* No documentation change required
First Last Prev Next    This bug is not in your last search results.