Univention Bugzilla – Bug 55436
UMC SAML metadata download from IdP uses strict check for certs issued by UCS CA
Last modified: 2022-11-18 11:54:54 CET
The UCR module u-m-c/conffiles/setup_saml_sp.py gets called to download the metadata from the SAML IdP, the URL is in UCR umc/saml/idp-server It is not clear why setup_saml_sp.py has a rather strict policy to only download the metadata if the IdP uses a HTTPS cert signed by the UCS CA. This fails in scenarios where the IdP uses a cert from a different issuer. Workaround to register the UMC is to remove the strict checking: --- management/univention-management-console/conffiles/setup_saml_sp.py +++ management/univention-management-console/conffiles/setup_saml_sp.py @@ -98,8 +98,6 @@ def download_idp_metadata(metadata): print('Try to download idp metadata (%s/60)' % (i + 1)) rc = call([ '/usr/bin/curl', - '--fail', - '--cacert', '/etc/univention/ssl/ucsCA/CAcert.pem', '-o', filename, metadata, ])
If we apply this patch and if a MITM attack is possible the domain can be overtaken by a crafted IDP XML file. So maybe we make it configurable via UCR and set the corresponding IP (I guess this is needed for the keycloak app?). Or give keycloak a certificate from the ucsCA.
This bug so far is not about keycloak. Scenario is, that the customer reconfigured the IdP FQDN to one different from the UCS domain settings, and are using a certificate to make the IdP available on the internet. I also thought about an additional UCRv the admin has to set to disable the strict checking. If we decide to do it, we should update https://help.univention.com/t/16161