Bug 47309 - Support raw simplesaml service provider configurations with replication
Support raw simplesaml service provider configurations with replication
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-1-errata
Assigned To: Erik Damrose
Jürn Brodersen
:
Depends on:
Blocks: 45537 46438
  Show dependency treegraph
 
Reported: 2018-07-05 12:44 CEST by Erik Damrose
Modified: 2019-02-04 17:16 CET (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2018-07-05 12:44:55 CEST
Simplesamlphp service provider configurations may require non trivial modifications to work with a service provider. Examples are
* encoding arbitrary attributes with base64 while mapping them to another attribute name (office365 connector)
* prepending and appending strings to attribute values and transmitting multiple source attributes in one saml assertion attribute (amazon aws)

We can not anticipate any possible combinations and make them configureable in UMC, so we need the possibility to add a raw simplesamlphp service provider configuration. This configuration has to be replicated to all UCS IdP servers in the domain.
Comment 1 Erik Damrose univentionstaff 2018-07-05 13:27:00 CEST
dcd4ed85 Support raw simplesamlphp configurations with replication

A new udm attribute for saml/serviceprovider has been added:
rawsimplesamlSPconfig must contain a valid php configuration for a
simplesamlphp service provider. If the provider is activated, the
saml-simplesamlphp-configuration listener will write and activate
the configuration on all domain IdP servers.

7c7c76d1 yaml
Comment 2 Erik Damrose univentionstaff 2018-07-13 16:03:55 CEST
Replicated simplesamlphp sp configs often require additional LDAP attriubutes beeing read from LDAP. The following was implemented to support it:
* IdP configuration options regarding allowed LDAP attributes are 
  now configured centrally in LDAP. This can be extended in the future.
* The default object DN for the configuration is
  id=default-saml-idp,cn=univention,LDAPBASE
* A listener has been added, which replicates changes to this object
  on all SAML IDP servers
* Previous UCRv values set to saml/idp/ldap/get_attributes are added
  to the default configuration on package update
* Resync univention-saml-simplesamlphp-configuration when installing
  and upgrading package

18c392d6 univention-saml 5.0.4-23A~4.3.0.201807131600
a295e292 yaml
Comment 3 Erik Damrose univentionstaff 2018-07-16 11:48:12 CEST
76aedf7c ucs-test: test raw saml sp configuration replication
Comment 4 Erik Damrose univentionstaff 2018-07-25 17:22:43 CEST
8b594234 Fix joinscript error handling
fa1473b3 yaml

univention-saml 5.0.4-25A~4.3.0.201807251721
Comment 5 Erik Damrose univentionstaff 2018-07-25 17:40:43 CEST
9600aa09 Fix joinscript error message
univention-saml 5.0.4-26A~4.3.0.201807251739
06f99149 yaml
Comment 6 Daniel Tröder univentionstaff 2018-07-27 10:59:58 CEST
The file created by the replication does not contain the line break at the end of a file:
-------------------------------------------------------------------------------
diff /etc/simplesamlphp/metadata.d/univention-office365.php /usr/share/univention-office365/simplesamlSPconfig.php 
37c37
< );
\ Kein Zeilenumbruch am Dateiende.
---
> );
-------------------------------------------------------------------------------
This results in different hashes for the same file, which is inconvenient when checking for problems in a domain.

Unsure if this deserves a reopen, leaving the decision up to QA.
Comment 7 Erik Damrose univentionstaff 2018-07-27 14:05:02 CEST
@Comment 6: The file content in the example used is handed to the udm command by command substitution "$(<file)". The specification says that trailing newlines will be removed:

http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html 
2.6.3 Command substitution:
"... removing sequences of one or more <newline>s at the end of the substitution"

The source file should contain no newline
Comment 8 Jürn Brodersen univentionstaff 2018-08-01 12:51:26 CEST
Small test changes
[4.3-1 50b4c69a6a] Bug #47309: check sp deactivation and activate on master systems as well

What I tested:
Saml works -> OK
Replication of service provider configuration -> OK
Update on master first -> OK
Update on backup first -> OK (As expected the join script fails, as long as the master isn't updated)
Replication of "LDAPattributes" for saml -> OK

YAML -> OK
Comment 9 Arvid Requate univentionstaff 2018-08-01 14:54:43 CEST
<http://errata.software-univention.de/ucs/4.3/159.html>