Univention Bugzilla – Bug 57320
univention-keycloak: creating saml client for Microsoft 365 fails
Last modified: 2024-06-26 13:03:34 CEST
https://docs.software-univention.de/keycloak-migration/migration-examples/saml.html#microsoft-365-connector $ curl https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml > /tmp/ms.xml $ univention-keycloak saml/sp create \ --metadata-file /tmp/ms.xml \ --metadata-url urn:federation:MicrosoftOnline \ --idp-initiated-sso-url-name MicrosoftOnline \ --name-id-format persistent Traceback (most recent call last): File "/usr/sbin/univention-keycloak", line 3101, in <module> sys.exit(main()) File "/usr/sbin/univention-keycloak", line 3097, in main return opt.func(opt) or 0 File "/usr/sbin/univention-keycloak", line 983, in create_SAML_client update_saml_metadata_from_xml(client_id, client_payload_saml, opt.metadata_file, opt.no_ssl_verify) File "/usr/sbin/univention-keycloak", line 470, in update_saml_metadata_from_xml name_id_format = [name_id_formats[x.text] for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')] File "/usr/sbin/univention-keycloak", line 470, in <listcomp> name_id_format = [name_id_formats[x.text] for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')] KeyError: 'urn:mace:shibboleth:1.0:nameIdentifier' Even if i fix that with diff --git a/services/univention-keycloak/scripts/univention-keycloak b/services/univention-keycloak/scripts/univention-keycloak index 5fe09afa4c4..2cba2eaf26c 100755 --- a/services/univention-keycloak/scripts/univention-keycloak +++ b/services/univention-keycloak/scripts/univention-keycloak @@ -466,8 +466,14 @@ def update_saml_metadata_from_xml(metadata_url, payload, metadata_file, no_ssl_v 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent': 'persistent', 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress': 'email', 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified': 'username', + 'urn:mace:shibboleth:1.0:nameIdentifier': 'username', } - name_id_format = [name_id_formats[x.text] for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')] + name_id_format = [ + name_id_formats[x.text] + for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat') + if x.text in name_id_formats + ] + Login to azure still fails because update_saml_metadata_from_xml now overwrites some command line settings: For the login to work we need - Name ID format -> persistent - Force name ID format -> off Also create a test with that "univention-keycloak saml/sp create ..." command and check that the config is ok.
52ae2f3d0c Bug #57320: Update test to new fixes ff1202fe4f Bug #57320: CLI options should have precedence over XML file 722642a20c Bug #57320: Choose name_id_format by whats provided by commandline Successful build Package: univention-keycloak Version: 1.0.12-3 Branch: 5.0-0 Scope: errata5.0-8 The CLI options now have precedence over the XML file again. We tested the migration guide for each (owncloud, nextcloud, o365, gsuite) with this fix We added a test that checks that the clients json representation doesn't change unexpectedly.
Tests: OK YAML: OK Code: OK Manual execution as mentioned in the migration guide: OK
<https://errata.software-univention.de/#/?erratum=5.0x1072>