Univention Bugzilla – Bug 57420
'univention-keycloak saml/sp create' creates duplicate UID mappers
Last modified: 2024-07-19 16:34:12 CEST
The `univention-keycloak saml/sp create` command creates multiple UID mappers. This leads to the uid being included in the SAML assertion twice, which is then concatenated by the UMC leading to SAML auth failure.
After git:ff1202fe4fc85c4e3cfae198eba42e92bfcab99c a new protocol mapper was being added to the SAML client. Before it added itself it checked if an existing mapper with the same name exists. However it did not check if there was an existing mapper that already mapped the uid or the URN. Since a UID mapper is already automatically created due to the SAML metadata of the UMC there were 2 UID mappers. This lead to the UID appearing twice in the SAML assertion. This double UID was just concatenated by the UMC, so the username "anna" became "annaanna", which caused login to fail. Check if there already is ANY mapper for the client that maps uid or the uid URN. univention-keycloak.yaml 6827db204615 | fix(univention-keycloak): check if mapper exists that maps uid univention-keycloak (1.0.12-4) 6827db204615 | fix(univention-keycloak): check if mapper exists that maps uid
Build 5.2 Successful build Package: univention-keycloak Version: 3.0.11 Branch: 5.2-0 Scope: User: mmeschter Host: ladda Seconds: 19.547363996505737 Logfile: /var/univention/buildsystem2/logs/ucs_5.2-0/univention-keycloak_3.0.11_202407101114.log.bz2 Build 5.0 Successful build Package: univention-keycloak Version: 1.0.12-4 Branch: 5.0-0 Scope: errata5.0-8 User: mmeschter Host: ladda Seconds: 19.738375663757324 Logfile: /var/univention/buildsystem2/logs/ucs_5.0-0-errata5.0-8/univention-keycloak_1.0.12-4_202407091943.log.bz2
QA: OK: only one uid mapper is created for saml service providers OK: `scripts/fix-duplicate-uid-mappers` fixes systems that are broken due to two existing uid mappers OK: The apps nextcloud, google-apps, office365 can be migrated from simpleSAMLphp to Keycloak OK: UMC login works with Keycloak OK: advisories OK: 5.0 and 5.2 OK: Keycloak tests
<https://errata.software-univention.de/#/?erratum=5.0x1083>
You get this error message: HTTP Fehler 401 Fehlernachricht des Servers: Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an. ------ when you tried to login