Univention Bugzilla – Full Text Bug Listing |
Summary: | SAML IdP certificate not accessible on UCS 4.2 | ||
---|---|---|---|
Product: | UCS | Reporter: | Jens Thorp-Hansen <thorp-hansen> |
Component: | SAML | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Jürn Brodersen <brodersen> |
Severity: | normal | ||
Priority: | P5 | CC: | best, brodersen, damrose, gohmann, mai, michelsmidt |
Version: | UCS 4.2 | ||
Target Milestone: | UCS 4.2-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 4: A User would return the product |
User Pain: | 0.343 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017052921000376 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 45515, 46186, 47047 | ||
Attachments: |
Saml apache config template adjustments
24_download_certificate |
Description
Jens Thorp-Hansen
2017-05-29 13:52:54 CEST
Mark all bugs with a user pain > 0.3 as errata bugs. Created attachment 9029 [details]
Saml apache config template adjustments
The current apache2 config doesn't allow filesystem access to the idp certificate in its default location. Do we adjust the template or the default location fot the certificate?
I attached a proposal for the configuration template in univention-saml.
Why doesn't it allow anymore? I think it was possible in UCS 4.1. (In reply to Florian Best from comment #3) > Why doesn't it allow anymore? I think it was possible in UCS 4.1. I didn't investigate the specific cause. My best guess is the change in basic directives between apache 2.4 and 2.2. For example Order and Allow vs. Require all granted. OK, the attached patch fixes the problem for me. I tried with openproject=5.0.17. Moving this issue to SAML. Created attachment 9032 [details]
24_download_certificate
Comment on attachment 9032 [details]
24_download_certificate
Test for ucs-test/82_saml
@Jürn: Please commit the ucs-test with the SKIP tag. r81298: test download of saml idp certificate The test has the skip tag set for now A slightly modified patch has been commited. univention-saml (4.0.14-11) c895e12c910a | Bug #44704-saml-certificate' into 4.2-3 1591bb4c3c3c | Bug #44704: fix certificate access permissions ucs-test (7.0.23-3) r81298 | Bug #44704: test download of saml idp certificate univention-saml.yaml c895e12c910a | Bug #44704-saml-certificate' into 4.2-3 b8f07173e39d | YAML Bug #44704 Looks good. What I tested: "ucs-test -s saml -E dangerous" -> OK "curl https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/certificate" -> OK "curl https://ucs-sso.univention.intranet/simplesamlphp/saml2/idp/" -> Forbidden -> OK YAML -> OK -> Verified |