Univention Bugzilla – Full Text Bug Listing |
Summary: | Configure SAML Single Sign-On as single server solution not working | ||
---|---|---|---|
Product: | UCS | Reporter: | Jürn Brodersen <brodersen> |
Component: | SAML | Assignee: | Erik Damrose <damrose> |
Status: | CLOSED FIXED | QA Contact: | Jürn Brodersen <brodersen> |
Severity: | normal | ||
Priority: | P5 | CC: | damrose, denissen, gohmann, heidelberger, scheinig, steuwer |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=46447 https://forge.univention.org/bugzilla/show_bug.cgi?id=46563 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 1: Will affect a very few installed domains | How will those affected feel about the bug?: | 4: A User would return the product |
User Pain: | 0.114 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2018062221000554 | Bug group (optional): | Workaround is available |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 47406 |
Description
Jürn Brodersen
2018-06-25 13:33:45 CEST
A customer reported the following workaround works in their environment: Enclose the Rewrite* Statenents at the bottom of /etc/apache2/sites-available/univention-saml.conf (or its template) with the simpplesamlphp directory, so it looks like this: <Directory /simplesamlphp> RewriteEngine on RewriteCond %%{HTTP:Authorization} !^$ RewriteRule .* - [E=HTTP_AUTHORIZATION:%%{HTTP:Authorization},L] </Directory> I've removed the flags 'School Customer affected' and 'Enterprise Customer affected' because a ticket or a customer ID is not set. *** Bug 46563 has been marked as a duplicate of this bug. *** ba960c85 When operating without a separate VirtualHost for single sign-on, a rewrite rule in the scope of other config rules limited execution of further rewrite rules. This fix restricts the rewrite rule to the single sign-on directory. univention-saml 5.0.4-20A~4.3.0.201806291057 c6827a7 yaml I set the yaml options to release the fix for 4.3-0 and 4.3-1. When released, we can remove the preup update blocker introduced by bug 46605 /etc/apache2/sites-enabled/univention-saml.conf:42: <Directory> was not closed. ebc1d612 Fix typo in apache config yaml updated --- mirror/ftp/4.3/unmaintained/4.3-1/source/univention-saml_5.0.4-19A~4.3.0.201805241344.dsc +++ apt/ucs_4.3-0-errata4.3-1/source/univention-saml_5.0.4-21A~4.3.0.201807041308.dsc @@ -1,6 +1,11 @@ -5.0.4-19A~4.3.0.201805241344 [Thu, 24 May 2018 13:44:20 +0200] Univention builddaemon <buildd@univention.de>: +5.0.4-21A~4.3.0.201807041308 [Wed, 04 Jul 2018 13:08:29 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. No patches were applied to the original source package + +5.0.4-21 [Wed, 04 Jul 2018 13:06:56 +0200] Erik Damrose <damrose@univention.de>: + + * Bug #47241: Fix apache configuration when operating without a separate + VirtualHost for single sign-on 5.0.4-19 [Thu, 24 May 2018 13:43:10 +0200] Felix Botner <botner@univention.de>: <http://10.200.17.11/4.3-1/#8398688827871475628> Looks good. But saml/idp/authsource=univention-negotiate doesn't work with this configuration for me. Config adapted. Only forward HTTP_AUTHORIZATION header to Location /saml-bin. 0c0be64 Fix config to allow SAML+Kerberos login 4d33ac6 yaml Package: univention-saml Version: 5.0.4-24A~4.3.0.201807231740 The saml+kerberos configuration has to be adapted and a new SPN for the external fqdn has to be added. Try with these steps. If it works, the SDB article https://help.univention.com/t/6681 will be extended after this feature is published (make sure univention-negotiate is activated: ucr set saml/idp/authsource=univention-negotiate) spn_account_name="ucs-sso" servicePrincipalName="HTTP/$FQDN" samba-tool spn add "$servicePrincipalName" "$spn_account_name" spn_account_name_password=$(</etc/simplesamlphp/ucs-sso-kerberos.secret) msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb \ samAccountName="$spn_account_name" msDS-KeyVersionNumber \ | sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p') ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF dn: samAccountName=$spn_account_name,CN=Principals changetype: modify replace: secret secret: $spn_account_name_password - replace: msDS-KeyVersionNumber msDS-KeyVersionNumber: $msdsKeyVersion - add: servicePrincipalName servicePrincipalName: $servicePrincipalName %EOF cp /var/lib/samba/private/simplesamlphp.keytab /etc/simplesamlphp.keytab Note: The domainname for the internal and external domain have to be equal, i.e. equal the kerberos realm. Configuring saml+kerberos in any other scenario is out of scope here What I tested Saml with and without samba using the sdb article. The steps in comment 9 are working for me. Kerberos without samba isn't working with the sdb article. As discussed that is not a blocker. -> Verified |