Bug 49485 – Make subnet filtering configurable for Kerberos-Auth in SAML-IdP

Bug 49485 - Make subnet filtering configurable for Kerberos-Auth in SAML-IdP


Summary:	Make subnet filtering configurable for Kerberos-Auth in SAML-IdP

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.4
Hardware:	Other Mac OS X 10.1

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-2-errata
Assigned To:	Florian Best
QA Contact:	Julia Bremer

URL:
Keywords:

Depends on:
Blocks:	56474 50533
	Show dependency tree / graph

Reported:	2019-05-16 09:41 CEST by Michel Smidt
Modified:	2023-08-22 21:53 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.286
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michel Smidt 2019-05-16 09:41:29 CEST

Make subnet filtering configurable for Kerberos-Auth in SAML-IdP in the /etc/simplesamlphp/authsources.php
See: https://github.com/simplesamlphp/simplesamlphp/blob/simplesamlphp-1.14/modules/negotiate/docs/negotiate.txt#L149

Comment 1 Erik Damrose

2019-05-16 10:51:33 CEST

The effort to add this is low, just add a UCRv that configures a line in
/etc/univention/templates/files/etc/simplesamlphp/01authsources-negotiate.php

'subnet' => array('127.0.0.0/16','192.168.0.0/16'),

Comment 2 Michel Smidt 2019-09-09 12:07:07 CEST

Customer asked for it because it would be workaround for Bug #47242 and blocks the further rollout of schools.

Comment 3 Florian Best

2019-10-11 13:35:35 CEST

Patch in branch git:fbest/49485-saml-negotiate-filter-subnets.

+[saml/idp/negotiate/filter-subnets]
+Description[de]=Beschränkt die Anmeldung per Kerberos / HTTP Negotiate auf Anfragen aus dem angegebenen Subnetz. Der Wert ist eine kommaseparierte Liste von Netzwerken (z.B.: 127.0.0.0/16,192.168.0.0/16).
+Description[en]=Restrict single sign on via Kerberos / HTTP negotiate only to clients requesting from the specified subnet. The value is a comma spearated list of networks (example: 127.0.0.0/16,192.168.0.0/16).
+Type=str
+Categories=saml

Comment 4 Florian Best

2019-11-05 13:54:09 CET

univention-saml (6.0.2-9)
0d3489f1a3f4 | Bug #49485: allow to restrict negotiate authentication to certain IP networks

univention-saml.yaml
0d3489f1a3f4 | Bug #49485: allow to restrict negotiate authentication to certain IP networks

Comment 5 Florian Best

2019-11-06 08:07:26 CET

The package didn't declare a build dependency to python-support and therefore the UDM handler was not correctly installed.
This let all tests fail / not being executed:

23:49:25 [master091]   . utils.sh; assert_join
23:49:56 
23:49:56  stdout: Warning: 'univention-saml' is not configured.
23:49:56 Warning: 'univention-management-console-web-server' is not configured.
23:49:56 Error: Not all install files configured: 2 missing
23:49:56 Warning: 'univention-saml' is not configured.
23:49:56 Warning: 'univention-management-console-web-server' is not configured.
23:49:56 Error: Not all install files configured: 2 missing
23:49:56 Warning: 'univention-saml' is not configured.
23:49:56 Warning: 'univention-management-console-web-server' is not configured.
23:49:56 Error: Not all install files configured: 2 missing

join.log:
Object created: cn=serviceprovider,cn=custom attributes,cn=univention,dc=AutoTest091,dc=local
unknown module saml/serviceprovider.

Available Modules are:
…
__JOINERR__:FAILED: /usr/lib/univention-install/91univention-saml.inst

Fixed in:
univention-saml (6.0.2-12)
4b48e227b564 | Bug #49485: add missing build dependency to python-support

Comment 6 Julia Bremer

2019-11-14 18:19:53 CET

UCR-Variable sets /etc/simplesamlphp/authsources.php : OK
UCR-Variable description: OK
Only UCS Clients in set subnet can use Kerberos-Auth in Saml OK
Only Windows Clients "" : OK
Yaml: OK
missing built dependecy added:OK 


Verified

Comment 7 Arvid Requate

2019-11-20 13:26:51 CET

<http://errata.software-univention.de/ucs/4.4/358.html>