Univention Bugzilla – Bug 57320
univention-keycloak: creating saml client for Microsoft 365 fails
Last modified: 2024-05-23 17:38:59 CEST
https://docs.software-univention.de/keycloak-migration/migration-examples/saml.html#microsoft-365-connector $ curl https://nexus.microsoftonline-p.com/federationmetadata/saml20/federationmetadata.xml > /tmp/ms.xml $ univention-keycloak saml/sp create \ --metadata-file /tmp/ms.xml \ --metadata-url urn:federation:MicrosoftOnline \ --idp-initiated-sso-url-name MicrosoftOnline \ --name-id-format persistent Traceback (most recent call last): File "/usr/sbin/univention-keycloak", line 3101, in <module> sys.exit(main()) File "/usr/sbin/univention-keycloak", line 3097, in main return opt.func(opt) or 0 File "/usr/sbin/univention-keycloak", line 983, in create_SAML_client update_saml_metadata_from_xml(client_id, client_payload_saml, opt.metadata_file, opt.no_ssl_verify) File "/usr/sbin/univention-keycloak", line 470, in update_saml_metadata_from_xml name_id_format = [name_id_formats[x.text] for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')] File "/usr/sbin/univention-keycloak", line 470, in <listcomp> name_id_format = [name_id_formats[x.text] for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')] KeyError: 'urn:mace:shibboleth:1.0:nameIdentifier' Even if i fix that with diff --git a/services/univention-keycloak/scripts/univention-keycloak b/services/univention-keycloak/scripts/univention-keycloak index 5fe09afa4c4..2cba2eaf26c 100755 --- a/services/univention-keycloak/scripts/univention-keycloak +++ b/services/univention-keycloak/scripts/univention-keycloak @@ -466,8 +466,14 @@ def update_saml_metadata_from_xml(metadata_url, payload, metadata_file, no_ssl_v 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent': 'persistent', 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress': 'email', 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified': 'username', + 'urn:mace:shibboleth:1.0:nameIdentifier': 'username', } - name_id_format = [name_id_formats[x.text] for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat')] + name_id_format = [ + name_id_formats[x.text] + for x in saml_descriptor_xml.findall('.//{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat') + if x.text in name_id_formats + ] + Login to azure still fails because update_saml_metadata_from_xml now overwrites some command line settings: For the login to work we need - Name ID format -> persistent - Force name ID format -> off Also create a test with that "univention-keycloak saml/sp create ..." command and check that the config is ok.