First Last Prev Next    This bug is not in your last search results.
Bug 56229 - SAML SP in UMC cannot be forced to use https (behind ssl offloading proxy)
SAML SP in UMC cannot be forced to use https (behind ssl offloading proxy)
Status: NEW
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 5.0
Other Windows NT
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2023-06-28 17:27 CEST by Thorsten
Modified: 2023-07-14 16:59 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thorsten univentionstaff 2023-06-28 17:27:05 CEST 
The SAML SP in UMC figures out the protocol (http/https) for the URL used as `AssertionConsumerServiceURL` in the AuthNRequest of an SP initiated SAML SSO based on the currently used protocol scheme.

Quote from the code (5.0-4):
```
Tries to preserve the current scheme (HTTP/HTTPS)
```
See https://github.com/univention/univention-corporate-server/blob/7397c6aad0fe7ba2db82ae958581954c4f372c5f/management/univention-management-console/src/univention/management/console/saml.py#L383

When UCS is running behind a ssl offloading reverse proxy "http" is used, when in fact a "https" based link in AssertionConsumerServiceURL is required.

An ucr option enforcing https could be a solution?
Comment 1 Florian Best univentionstaff 2023-06-28 17:40:12 CEST 
(In reply to Thorsten from comment #0)
> When UCS is running behind a ssl offloading reverse proxy "http" is used,
> when in fact a "https" based link in AssertionConsumerServiceURL is required.
So you have a reverse proxy which proxies to http://$UCS/univention/saml/… !?!

> An ucr option enforcing https could be a solution?
Jeah, is imaginable.

A current workaround is to set a request header "X-UMC-HTTPS: on" in your reverse procy. But expect it to break somewhen™. I want to change this to use more official headers so that we can use the original handling of Tornado.
First Last Prev Next    This bug is not in your last search results.