Bug 57320 - univention-keycloak: creating saml client for Microsoft 365 fails
univention-keycloak: creating saml client for Microsoft 365 fails
Status: NEW
Product: UCS
Classification: Unclassified
Component: Keycloak
UCS 5.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2024-05-23 15:28 CEST by Felix Botner
Modified: 2024-05-23 17:38 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Regression
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2024-05-23 15:28:58 CEST
https://docs.software-univention.de/keycloak-migration/migration-examples/saml.html#microsoft-365-connector

$ curl https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml > /tmp/ms.xml

$ univention-keycloak saml/sp create \
  --metadata-file /tmp/ms.xml \
  --metadata-url urn:federation:MicrosoftOnline \
  --idp-initiated-sso-url-name MicrosoftOnline \
  --name-id-format persistent

Traceback (most recent call last):
  File "/usr/sbin/univention-keycloak", line 3101, in <module>
    sys.exit(main())
  File "/usr/sbin/univention-keycloak", line 3097, in main
    return opt.func(opt) or 0
  File "/usr/sbin/univention-keycloak", line 983, in create_SAML_client
    update_saml_metadata_from_xml(client_id, client_payload_saml, opt.metadata_file, opt.no_ssl_verify)
  File "/usr/sbin/univention-keycloak", line 470, in update_saml_metadata_from_xml
    name_id_format = [name_id_formats[x.text] for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')]
  File "/usr/sbin/univention-keycloak", line 470, in <listcomp>
    name_id_format = [name_id_formats[x.text] for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')]
KeyError: 'urn:mace:shibboleth:1.0:nameIdentifier'

Even if i fix that with 

diff --git a/services/univention-keycloak/scripts/univention-keycloak b/services/univention-keycloak/scripts/univention-keycloak
index 5fe09afa4c4..2cba2eaf26c 100755
--- a/services/univention-keycloak/scripts/univention-keycloak
+++ b/services/univention-keycloak/scripts/univention-keycloak
@@ -466,8 +466,14 @@ def update_saml_metadata_from_xml(metadata_url, payload, metadata_file, no_ssl_v
         'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent': 'persistent',
         'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress': 'email',
         'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified': 'username',
+        'urn:mace:shibboleth:1.0:nameIdentifier': 'username',
     }
-    name_id_format = [name_id_formats[x.text] for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')]
+    name_id_format = [
+        name_id_formats[x.text]
+        for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')
+        if x.text in name_id_formats
+    ]
+


Login to azure still fails because update_saml_metadata_from_xml now overwrites some command line settings:

For the login to work we need 

- Name ID format -> persistent
- Force name ID format -> off

Also create a test with that "univention-keycloak saml/sp create ..." command and check that the config is ok.