Univention Bugzilla – Bug 47309
Support raw simplesaml service provider configurations with replication
Last modified: 2019-02-04 17:16:30 CET
Simplesamlphp service provider configurations may require non trivial modifications to work with a service provider. Examples are * encoding arbitrary attributes with base64 while mapping them to another attribute name (office365 connector) * prepending and appending strings to attribute values and transmitting multiple source attributes in one saml assertion attribute (amazon aws) We can not anticipate any possible combinations and make them configureable in UMC, so we need the possibility to add a raw simplesamlphp service provider configuration. This configuration has to be replicated to all UCS IdP servers in the domain.
dcd4ed85 Support raw simplesamlphp configurations with replication A new udm attribute for saml/serviceprovider has been added: rawsimplesamlSPconfig must contain a valid php configuration for a simplesamlphp service provider. If the provider is activated, the saml-simplesamlphp-configuration listener will write and activate the configuration on all domain IdP servers. 7c7c76d1 yaml
Replicated simplesamlphp sp configs often require additional LDAP attriubutes beeing read from LDAP. The following was implemented to support it: * IdP configuration options regarding allowed LDAP attributes are now configured centrally in LDAP. This can be extended in the future. * The default object DN for the configuration is id=default-saml-idp,cn=univention,LDAPBASE * A listener has been added, which replicates changes to this object on all SAML IDP servers * Previous UCRv values set to saml/idp/ldap/get_attributes are added to the default configuration on package update * Resync univention-saml-simplesamlphp-configuration when installing and upgrading package 18c392d6 univention-saml 5.0.4-23A~4.3.0.201807131600 a295e292 yaml
76aedf7c ucs-test: test raw saml sp configuration replication
8b594234 Fix joinscript error handling fa1473b3 yaml univention-saml 5.0.4-25A~4.3.0.201807251721
9600aa09 Fix joinscript error message univention-saml 5.0.4-26A~4.3.0.201807251739 06f99149 yaml
The file created by the replication does not contain the line break at the end of a file: ------------------------------------------------------------------------------- diff /etc/simplesamlphp/metadata.d/univention-office365.php /usr/share/univention-office365/simplesamlSPconfig.php 37c37 < ); \ Kein Zeilenumbruch am Dateiende. --- > ); ------------------------------------------------------------------------------- This results in different hashes for the same file, which is inconvenient when checking for problems in a domain. Unsure if this deserves a reopen, leaving the decision up to QA.
@Comment 6: The file content in the example used is handed to the udm command by command substitution "$(<file)". The specification says that trailing newlines will be removed: http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html 2.6.3 Command substitution: "... removing sequences of one or more <newline>s at the end of the substitution" The source file should contain no newline
Small test changes [4.3-1 50b4c69a6a] Bug #47309: check sp deactivation and activate on master systems as well What I tested: Saml works -> OK Replication of service provider configuration -> OK Update on master first -> OK Update on backup first -> OK (As expected the join script fails, as long as the master isn't updated) Replication of "LDAPattributes" for saml -> OK YAML -> OK
<http://errata.software-univention.de/ucs/4.3/159.html>