Bug 48348

Summary: Allow inclusion of additional configuration files for SSO virtualhost
Product: UCS Reporter: Erik Damrose <damrose>
Component: SAMLAssignee: Erik Damrose <damrose>
Status: CLOSED FIXED QA Contact: Jürn Brodersen <brodersen>
Severity: normal    
Priority: P5 CC: best
Version: UCS 4.3   
Target Milestone: UCS 4.3-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Feature Request What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Erik Damrose univentionstaff 2018-12-13 15:25:48 CET 
The UCS default apache configuration can be extended by placing files in /etc/apache2/ucs-sites.conf.d/, these get included with an IncludeOptional statement in/etc/apache2/sites-available/000-default.conf and default-ssl.conf.

There is currently no way to extend the single sign on VirtualHost configuration in a similar way. Additional software should have an easy way to be added to the VirtualHost, e.g. the OpenID Connect provider.

An IncludeOptional Statement will be added to univention-saml.conf
Comment 1 Erik Damrose univentionstaff 2018-12-13 16:03:48 CET 
fc58260b Include additional configuration files from /etc/apache2/sso-vhost.conf.d in saml virtualhost config

Package: univention-saml
Version: 5.0.4-30A~4.3.0.201812131559
Branch: ucs_4.3-0
Scope: errata4.3-3

9138d5a2 yaml
Comment 2 Philipp Hahn univentionstaff 2018-12-14 13:37:16 CET 
4a2cd9dbbc Bug #48348: univention-saml 5.0.4-30A~4.3.0.201812131559---
 doc/errata/staging/univention-saml.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

 This update addresses the following [-issue(s):-]{+issue:+}
 * The univention-saml [-apache2-]{+Apache2+} VirtualHost configuration can now be extended
   by placing .conf files in the directory /etc/apache2/sso-vhost.conf.d/
Comment 3 Jürn Brodersen univentionstaff 2019-01-10 11:41:24 CET 
Including sso-vhost.conf.d/*.conf into the non vhost config (the fqdn instead of ucs-sso is used for saml) might be a problem for some options. But I don't see an easy solution for that nor is it a problem at the moment.


Config used for testing:
'''
<Location "/secure">
    AuthType basic
    AuthName "private area"
    AuthUserFile    "/etc/apache2/test"
    Require            valid-user
</Location>
'''


What I tested:
Added config to /etc/apache2/sso-vhost.conf.d and restart apache -> OK
  "curl http://ucs-sso.univention.intranet/secure" asks for creds -> OK
  "curl https://ucs-sso.univention.intranet/secure" asks for creds -> OK
  ucs-test/82_saml/04_saml_login -> OK

Removed config and restart apache -> OK
  ucs-test/82_saml/04_saml_login -> OK

YAML -> OK
Code in 4.4-0 -> OK
Comment 4 Arvid Requate univentionstaff 2019-01-16 13:25:22 CET 
<http://errata.software-univention.de/ucs/4.3/406.html>