Bug 49305
| Summary: | Sign logout responses in the IDP configuration | ||
|---|---|---|---|
| Product: | UCS | Reporter: | Florian Best <best> |
| Component: | SAML | Assignee: | Julia Bremer <bremer> |
| Status: | CLOSED FIXED | QA Contact: | Johannes Keiser <keiser> |
| Severity: | normal | ||
| Priority: | P5 | CC: | bremer, castens, damrose, grandjean, heidelberger, michelsmidt, requate, steuwer |
| Version: | UCS 4.4 | Flags: | best:
Patch_Available+
|
| Target Milestone: | UCS 4.4-3-errata | ||
| Hardware: | Other | ||
| OS: | Linux | ||
| See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=50603 | ||
| What kind of report is it?: | Development Internal | What type of bug is this?: | --- |
| Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
| User Pain: | Enterprise Customer affected?: | ||
| School Customer affected?: | Yes | ISV affected?: | |
| Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
| Ticket number: | Bug group (optional): | ||
| Max CVSS v3 score: | |||
| Bug Depends on: | |||
| Bug Blocks: | 51041 | ||
| Attachments: | patch | ||
Created attachment 9975 [details]
patch
'saml20.sign.response' => true,
'saml20.sign.assertion' => true,
→ Yes they are by default true.
We can also set the "sign.logout" at the IDP configuration. The SP configurations are inheriting the value!
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-sp-remote
https://simplesamlphp.org/docs/stable/simplesamlphp-reference-idp-remote
*** Bug 50603 has been marked as a duplicate of this bug. *** Bug #50603 is a duplicate, but public and with values for User Pain. Required for the OX app. Otherwise logout fails. see also patch attached to #50603 https://forge.univention.org/bugzilla/attachment.cgi?id=10254 8c259f63cc Bug #49305: fix signed logout Package: univention-saml Version: 6.0.2-21A~4.4.0.202002070958 Branch: ucs_4.4-0 Scope: errata4.4-3 patch from bug #50603 applied to enable signed logouts Some general remarks: Please set yourself as bug assignee when fixing a bug, and set the correct target milestone. If you think the bug is ready for QA, set the bug status to resolved. OK: Patch was applied. Reopen: The fix does not fulfill the userstory acceptance criteria https://taiga.knut.univention.de/project/oschwieg-ucs-core/us/743 * There is no option to toggle signed logouts for a serviceprovider * No resync of listener module to rewrite existing configurations 887b0ad0ec Bug #49305: yaml fdb54868eb Bug #49305: translations b6256ffdcc Bug #49305: Merge branch 'jbremer/bug49305' into 4.4-3 977961432c Bug #49305: Enable signed Logout, new udm attribute signLogouts Successful build Package: univention-saml Version: 6.0.2-23A~4.4.0.202002101801 Branch: ucs_4.4-0 Scope: errata4.4-3 User: jbremer I add the udm attribute signLogouts for serviceproviders, which is mapped to the new ldap attribute signLogouts. Its value determines whether to sign logout messages sent to this SP. Its default value is "True". OK new UDM attribute for "Enable signed logouts" OK "sign.logout" is written into the service provider config file if UDM attribute is enabled OK yaml -> verified |
Missing in the configuration for the service providers is: 'sign.logout' => true, Without signed logout responses the OX appsuite crashes during logout with an internal server error. We also do not explicitly set the following attributes: 'saml20.sign.response' => true, 'saml20.sign.assertion' => true, I guess they are by default true?! Otherwise we should set them, too. This can simply be set, we don't need to make it configurable in the UMC/UDM.