First Last Prev Next    This bug is not in your last search results.
Bug 50510 - Make it possible to configure multiple entity IDs for one IdP
Make it possible to configure multiple entity IDs for one IdP
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-2-errata
Assigned To: Jürn Brodersen
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-18 11:58 CET by Jürn Brodersen
Modified: 2019-11-27 14:20 CET (History)
2 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jürn Brodersen univentionstaff 2019-11-18 11:58:28 CET 
Make it possible to configure multiple entity IDs for one IdP

This is a feature request needed for bug 50324. Azure AD only supports entity IDs for IdPs that are globally unique. You are not allowed to use the same IdP entity ID on two or more domains (this rule even applies if these belong to different customers!).

We want to support to connect one UCS domain to multiple Azure Domains. That means our saml IdP must have one unique entity ID for each Azure Domain.
Comment 1 Jürn Brodersen univentionstaff 2019-11-18 12:07:08 CET 
Branch:
juern/multi-ident

[juern/multi-ident 0b62478ce1] Bug #50510: Make it possible to configure multiple entity IDs for one IdP
[juern/multi-ident 3a16412c9e] Bug #50510: Add 82_saml/44_idp_eintityID_supplement
Comment 2 Erik Damrose univentionstaff 2019-11-19 19:25:38 CET 
OK: Configure several more IdPs via UCR saml/idp/entityID/supplement/<identifier>=true + apache2 reload
OK: Get individual IdP metadata from https://$(ucr get ucs/server/sso/fqdn)/simplesamlphp/<identifier>/saml2/idp/metadata.php
~ Testcase did fail in my case

*** START TIME: 2019-11-19 18:49:34 ***
Create saml/idp/entityID/supplement/second_eID
File: /etc/apache2/sites-available/univention-saml.conf
Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php
File: /etc/simplesamlphp/config.php
Module: ox-config
supplement_entityID: "https://ucs-sso.mydomain.intranet/simplesamlphp/second_eID/saml2/idp/metadata.php"
Setting umc/saml/idp-server
Module: setup_saml_sp
Try to download idp metadata (1/60)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
^M  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0^M100  5108    0  5108    0     0  63602      0 --:--:-- --:--:-- --:--:-- 63850
Reloading univention-management-console-web-server configuration (via systemctl): univention-management-console-web-server.service.
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Module: ox-config
GET SAML login form at: https://ucsmaster.mydomain.intranet/univention/saml/
WARN: could not parse XML/HTML: not well-formed (invalid token): line 17, column 3127
### FAIL ###
Problem while reaching login dialog


But maybe that error did occur because 82_saml/30_umc_cert_chain failed earlier.
REOPENing in any case for branch merge, we also need documentation for this feature. We can create an additional bug for that if required.
Comment 3 Jürn Brodersen univentionstaff 2019-11-20 17:38:13 CET 
[4.4-2 bcccfc5d3e] Bug #50510: Move simplesamlphp-modules/
[4.4-2 8d4447c4ce] Bug #50510: Make it possible to configure multiple entity IDs for one IdP
[4.4-2 3030e9472a] Bug #50510: Add 82_saml/44_idp_eintityID_supplement
[4.4-2 ec1bd5d2d4] Bug #50510: yaml
[4.4-2 57797e2494] Bug #50510: Merge branch 'juern/multi-ident' into 4.4-2
[4.4-2 90761c8e88] Bug #50510: Revert python-notifier change
[4.4-2 07d618fd98] Bug #50510: yaml2


Package: univention-saml
Version: 6.0.2-15A~4.4.0.201911201731
Branch: ucs_4.4-0
Scope: errata4.4-2
Comment 4 Erik Damrose univentionstaff 2019-11-20 17:58:31 CET 
Documentation bug: #50523

univention-saml 6.0.2-15A~4.4.0.201911201731

OK: Configure several more IdPs via UCR saml/idp/entityID/supplement/<identifier>=true + apache2 reload
OK: Get individual IdP metadata from https://$(ucr get ucs/server/sso/fqdn)/simplesamlphp/<identifier>/saml2/idp/metadata.php
OK: yaml

Verified
Comment 5 Felix Botner univentionstaff 2019-11-21 09:30:13 CET 
All saml test failed in the last jenkins run, is this related to this bug?
Comment 6 Jürn Brodersen univentionstaff 2019-11-21 10:59:23 CET 
REQUEST_URI is undefined outside the apache config :(


20.11.19 23:41:02.785  LISTENER    ( ERROR   ) : Failed to create /etc/simplesamlphp/metadata.d/https:__master090.autotest090.local_univention_saml_metadata.php: PHP Fatal error:  Uncaught ErrorException: Undefined index: REQUEST_URI in /etc/simplesamlphp/config.php:52
Stack trace:
#0 /etc/simplesamlphp/config.php(52): {closure}(8, 'Undefined index...', '/etc/simplesaml...', 52, Array)
#1 /usr/share/simplesamlphp/lib/SimpleSAML/Configuration.php(124): require('/etc/simplesaml...')
#2 /usr/share/simplesamlphp/lib/SimpleSAML/Configuration.php(252): SimpleSAML_Configuration::loadFromFile('/usr/share/simp...', true)
#3 /usr/share/simplesamlphp/lib/SimpleSAML/Configuration.php(336): SimpleSAML_Configuration::getConfig()
#4 /usr/share/simplesamlphp/lib/SimpleSAML/Logger.php(363): SimpleSAML_Configuration::getInstance()
#5 /usr/share/simplesamlphp/lib/SimpleSAML/Logger.php(403): SimpleSAML\Logger::createLoggingHandler('SimpleSAML\\Logg...')
#6 /usr/share/simplesamlphp/lib/SimpleSAML/Logger.php(179): SimpleSAML\Logger::log(4, 'The class or in...')
#7 /usr/share/simplesamlphp/lib/_autoload_modules.php(68): SimpleSAML\Logger::warning('The class or in...')
#8 [internal function]: temporaryLoader( in /etc/simplesamlphp/config.php on line 52
Comment 7 Jürn Brodersen univentionstaff 2019-11-25 16:13:29 CET 
Package: univention-saml
Version: 6.0.2-17A~4.4.0.201911251558
Branch: ucs_4.4-0
Scope: errata4.4-2

[4.4-2 90761c8e88] Bug #50510: Revert python-notifier change
[4.4-2 07d618fd98] Bug #50510: yaml2
[4.4-2 358421b7d4] Bug #50510: changelog ucs-test
[4.4-2 514ff89cdb] Bug #50510: Fix creation of service provider config
[4.4-2 63ba7f3dc3] Bug #50510: fix typo
[4.4-2 c69a22d4ba] Bug #50510: fix wrong description
[4.4-2 17cc1eb364] Bug #50510: Be more verbose for listener problems
[4.4-2 635f4d3ed6] Bug #50510: Reset IDP metadata used by the umc
[4.4-2 8549e3f5c6] Bug #50510: changelog ucs-test
[4.4-2 c75bfbd4a2] Bug #50510: fix 44_idp_entityID_supplement (again)
[4.4-2 c3f0a68aed] Bug #50510: ensure the HOST header has the same case as in the idp config
[4.4-2 b0090a9a65] Bug #50510: yaml

TLDR
The important commits for univention-saml are:
[4.4-2 514ff89cdb] Bug #50510: Fix creation of service provider config
[4.4-2 c3f0a68aed] Bug #50510: ensure the HOST header has the same case as in the idp config


The first commit fixes that "$_SERVER['REQUEST_URI']" is not set during service provider config creation.

The second commit fixes that the hostname which is used to choose the idp config was case sensitive.
Comment 8 Jürn Brodersen univentionstaff 2019-11-25 18:47:48 CET 
Small doc changes on branch (ucr var needs to be set on backups as well):
juern/bug50510-doc
Comment 9 Erik Damrose univentionstaff 2019-11-26 14:51:01 CET 
Documentation is okay, i merged it at 71e3c9f3

univention-saml 6.0.2-17A~4.4.0.201911251558

OK: Fix creation of service provider config
OK: ensure the HOST header has the same case as in the idp config
OK: ucs-test
OK~ yaml (fix in 3803329)
Comment 10 Arvid Requate univentionstaff 2019-11-27 14:20:10 CET 
<http://errata.software-univention.de/ucs/4.4/380.html>
First Last Prev Next    This bug is not in your last search results.