Bug 57420 – 'univention-keycloak saml/sp create' creates duplicate UID mappers

Bug 57420 - 'univention-keycloak saml/sp create' creates duplicate UID mappers


Summary:	'univention-keycloak saml/sp create' creates duplicate UID mappers

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Keycloak
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-8-errata
Assigned To:	Marius Meschter
QA Contact:	Christian Castens

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-07-01 16:01 CEST by Marius Meschter
Modified:	2024-07-19 16:34 CEST (History)
CC List:	3 users (show)

See Also:	57320
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.343
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2024071521000107
Bug group (optional):	Regression, SAML
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marius Meschter

2024-07-01 16:01:05 CEST

The `univention-keycloak saml/sp create` command creates multiple UID mappers. This leads to the uid being included in the SAML assertion twice, which is then concatenated by the UMC leading to SAML auth failure.

Comment 1 Marius Meschter

2024-07-10 11:16:58 CEST

After git:ff1202fe4fc85c4e3cfae198eba42e92bfcab99c a new protocol mapper
    was being added to the SAML client. Before it added itself it checked if
    an existing mapper with the same name exists. However it did not check
    if there was an existing mapper that already mapped the uid or the URN.
    Since a UID mapper is already automatically created due to the SAML
    metadata of the UMC there were 2 UID mappers. This lead to the UID
    appearing twice in the SAML assertion. This double UID was just
    concatenated by the UMC, so the username "anna" became "annaanna", which
    caused login to fail.

    Check if there already is ANY mapper for the client that maps uid or the
    uid URN.

univention-keycloak.yaml
6827db204615 | fix(univention-keycloak): check if mapper exists that maps uid

univention-keycloak (1.0.12-4)
6827db204615 | fix(univention-keycloak): check if mapper exists that maps uid

Comment 2 Marius Meschter

2024-07-10 11:24:45 CEST

Build 5.2
Successful build
Package: univention-keycloak
Version: 3.0.11
Branch: 5.2-0
Scope: 
User: mmeschter
Host: ladda
Seconds: 19.547363996505737
Logfile: /var/univention/buildsystem2/logs/ucs_5.2-0/univention-keycloak_3.0.11_202407101114.log.bz2

Build 5.0
Successful build
Package: univention-keycloak
Version: 1.0.12-4
Branch: 5.0-0
Scope: errata5.0-8
User: mmeschter
Host: ladda
Seconds: 19.738375663757324
Logfile: /var/univention/buildsystem2/logs/ucs_5.0-0-errata5.0-8/univention-keycloak_1.0.12-4_202407091943.log.bz2

Comment 3 Christian Castens

2024-07-11 10:39:43 CEST

QA:
  OK: only one uid mapper is created for saml service providers
  OK: `scripts/fix-duplicate-uid-mappers` fixes systems that are broken due to two existing uid mappers
  OK: The apps nextcloud, google-apps, office365 can be migrated from simpleSAMLphp to Keycloak
  OK: UMC login works with Keycloak
  OK: advisories
  OK: 5.0 and 5.2
  OK: Keycloak tests

Comment 4 Dirk Wiesenthal

2024-07-11 12:39:58 CEST

<https://errata.software-univention.de/#/?erratum=5.0x1083>

Comment 5 Christina Scheinig

2024-07-19 16:33:47 CEST

You get this error message:

HTTP Fehler 401

Fehlernachricht des Servers:

Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an.

------
when you tried to login