Bug 55436 – UMC SAML metadata download from IdP uses strict check for certs issued by UCS CA

Bug 55436 - UMC SAML metadata download from IdP uses strict check for certs issued by UCS CA


Summary:	UMC SAML metadata download from IdP uses strict check for certs issued by UCS CA

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-11-17 15:54 CET by Erik Damrose
Modified:	2022-11-18 11:54 CET (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.086
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2022110921000311
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2022-11-17 15:54:31 CET

The UCR module u-m-c/conffiles/setup_saml_sp.py gets called to download the metadata from the SAML IdP, the URL is in UCR umc/saml/idp-server

It is not clear why setup_saml_sp.py has a rather strict policy to only download the metadata if the IdP uses a HTTPS cert signed by the UCS CA.

This fails in scenarios where the IdP uses a cert from a different issuer.

Workaround to register the UMC is to remove the strict checking:

--- management/univention-management-console/conffiles/setup_saml_sp.py
+++ management/univention-management-console/conffiles/setup_saml_sp.py
@@ -98,8 +98,6 @@ def download_idp_metadata(metadata):
                print('Try to download idp metadata (%s/60)' % (i + 1))
                rc = call([
                        '/usr/bin/curl',
-                       '--fail',
-                       '--cacert', '/etc/univention/ssl/ucsCA/CAcert.pem',
                        '-o', filename,
                        metadata,
                ])

Comment 2 Florian Best

2022-11-18 11:06:56 CET

If we apply this patch and if a MITM attack is possible the domain can be overtaken by a crafted IDP XML file.
So maybe we make it configurable via UCR and set the corresponding IP (I guess this is needed for the keycloak app?).
Or give keycloak a certificate from the ucsCA.

Comment 3 Erik Damrose

2022-11-18 11:54:54 CET

This bug so far is not about keycloak. Scenario is, that the customer reconfigured the IdP FQDN to one different from the UCS domain settings, and are using a certificate to make the IdP available on the internet.

I also thought about an additional UCRv the admin has to set to disable the strict checking. If we decide to do it, we should update https://help.univention.com/t/16161