Bug 53723 – [5.0] SAML IdP: Group member comparison should be case insensitive

Bug 53723 - [5.0] SAML IdP: Group member comparison should be case insensitive


Summary:	[5.0] SAML IdP: Group member comparison should be case insensitive

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-0-errata
Assigned To:	Erik Damrose
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:	53432 55507
	Show dependency tree / graph

Reported:	2021-08-30 19:17 CEST by Erik Damrose
Modified:	2022-12-19 13:25 CET (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.257
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2021-08-30 19:17:28 CEST

+++ This bug was initially created as a clone of Bug #53432 +++

A group GRP_teacher was created in a sync mode AD. The group was correct synchronised to UCS LDAP and also correct placed in /etc/simplesamlphp/serviceprovider_enabled_groups.json but in the users memberof list it was lowercased.

The comparison of the group names should be case insensitive in SAML to prevent authentication rejects caused by case differences.

Comment 1 Erik Damrose

2021-08-30 19:35:46 CEST

10_add_case_insensitive_comparison_for_ldap_attributes.quilt
svn 19418
simplesamlphp 1.16.3-1+deb10u2A~5.0.0.202108301929

d86f22c9 Add case insensitive comparisons for LDAP attributes to service provider config
univention-saml 7.0.4-17A~5.0.0.202108301924

2faf47ff yaml

Comment 2 Arvid Requate

2021-08-31 12:00:08 CEST

Verified:
* SVN patch same as in 4.4-8 and applied to simplesamlphp 1.16.3-1+deb10u2A~5.0.0.202108301929
* PHP-Code, listener resync in postinst, debian/changelog
* Neither advisories nor documentation change required

Comment 3 Arvid Requate

2021-08-31 12:01:19 CEST

Sorry, advisories are there obviously.

Comment 4 Erik Damrose

2021-09-01 17:07:14 CEST

<https://errata.software-univention.de/#/?erratum=5.0x80>
<https://errata.software-univention.de/#/?erratum=5.0x81>