AppSuite:UCS SAML SSO with OX App Suite: Difference between revisions
From Open-Xchange
No edit summary |
No edit summary |
||
| Line 76: | Line 76: | ||
ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \ | ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \ | ||
ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false' | ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false' | ||
=== Configuration files for SAML IdP === | |||
Besides the UCR configuration parameters, we also have to set up two configuration files. Those will contain the FQDNs of SSO, Portal and OX itself in various locations. | |||
cat <<__EOT_asconfig__ > /opt/open-xchange/etc/as-config.yml | |||
# Override certain settings | |||
default: | |||
host: all | |||
samlLogin: true | |||
logoutLocation: 'https://${SSO_FQDN}/simplesamlphp/saml2/idp/initSLO.php?RelayState=/simplesamlphp/logout.php' | |||
# Override certain settings for certain hosts | |||
#myhost: | |||
# host: myexchange.myhost.mytld | |||
# someConfig: some overriding value | |||
__EOT_asconfig__ | |||
saml.properties is a relatively big file. This is reflected in the following command. | |||
cat <<__EOT__ >/opt/open-xchange/etc/saml.properties | |||
# Configuration of SAML UCS properties | |||
# Please refer to: https://documentation.open-xchange.com/components/middleware/config/7.10.1/#mode=search&term=open-xchange-saml-ucs | |||
# If UCS SAMLBackend is enabled | |||
com.openexchange.saml.ucs.enabled = true | |||
# The id inside the saml authnResponse which holds the userinformation | |||
#com.openexchange.saml.ucs.id = mailPrimaryAddress | |||
com.openexchange.saml.ucs.id = uid | |||
# URL of where the users are redirected after logout | |||
com.openexchange.saml.ucs.logoutRedirectUrl = https://${PORTAL_FQDN}/univention/portal/ | |||
# The URL to redirect to in case the SAML back-end fails to look up the authenticated user. When left empty or not set, an HTTP 500 error page is sent instead. | |||
#com.openexchange.saml.ucs.failureRedirect | |||
# The URL to redirect to in case the SAML back-end has an error, when the user logs out. When left empty or not set, the value of com.openexchange.saml.ucs.failure.redirect is used. | |||
#com.openexchange.saml.ucs.logoutFailureRedirect | |||
# The full path to a Java keyStore containing the IdPs certificate. | |||
com.openexchange.saml.ucs.keyStore = /etc/ssl/certs/java/cacerts | |||
#com.openexchange.saml.ucs.keyStore = /root/my-keystore.jks | |||
# Password to open the keyStore. | |||
com.openexchange.saml.ucs.keyStorePass = changeit | |||
# The alias of the IdP certificate entry within the keyStore. | |||
#com.openexchange.saml.ucs.certAlias = Univention_Corporate_Server_Root_CA_(ID=ImIfa9H9) | |||
com.openexchange.saml.ucs.certAlias = ${SSO_FQDN} | |||
# The alias of the signingKey entry within the keyStore. | |||
#com.openexchange.saml.ucs.signingKeyAlias | |||
# The password of the signingKey entry within the keyStore. | |||
#com.openexchange.saml.ucs.signingKeyPassword | |||
# The alias of the decryptionKey entry within the keyStore. | |||
#com.openexchange.saml.ucs.decryptionKeyAlias | |||
# The password of the decryptionKey entry within the keystore. | |||
#com.openexchange.saml.ucs.decryptionKeyPassword | |||
Revision as of 05:10, 18 May 2021
Univention Corporate Server SAML-SSO Configuration with OX App Suite
Preconditions
Before starting the configuration process, it is advisable to test the SAML login to UCS to ensure that it works. Authentication via SAML login works as follows.
https://<Hostname>/univention/saml
Configuration
Setting FQDNs
The following three variables have to be set according to the environment. Multiple or all variables can contain the same FQDN.
# FQDN for accessing the SSO - can be found in UCR: ucr get ucs/server/sso/fqdn SSO_FQDN=ucs-sso.domain.name # FQDN for accessing the portal PORTAL_FQDN=portal.domain.name # FQDN for accessing OX MAIL_FQDN=mail.domain.name
Adjusting the provisioning
The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a "imapLogin" field that is used by OX to log in to the user's inbox. As default it is set to the user's mail address. If SSO is to be used, it has to be appended with an asterisk and the mail server's master user. For Dovecot this would be dovecotadmin and looks as follows:
meinuser@maildomain.de*dovecotadmin
The following two commands have to be executed to let the users be provisioned respectively by the listener:
ucr set ox/listener/imaplogin_value='{}*dovecotadmin'
service univention-directory-listener crestart
Adjusting existing users
For already existing users, the imapLogin field has to be adjusted. See: How To: Change the OX attribute imaplogin for existing users
Installing packages
univention-install open-xchange-saml-ucs open-xchange-saml
Getting UCR variables into the shell
As we will need UCR variables for the following steps, we'll get them as shell variables:
eval "$(ucr shell)"
Importing the SAML IdPs certificate into the Java Keystore
For OX to be able to validate the certificate that is used for signing the SAML Assertions, it has to be imported into the Java Keystore.
openssl pkcs12 -export -in /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.crt -inkey /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.key -chain -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -name "${SSO_FQDN}" -out ${SSO_FQDN}.p12 -password pass:changeit
keytool -importkeystore -deststorepass changeit -destkeystore my-keystore.jks -srckeystore ${SSO_FQDN}.p12 -srcstoretype PKCS12 -srcstorepass changeit
keytool -export -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore my-keystore.jks -deststorepass changeit
keytool -import -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore /etc/ssl/certs/java/cacerts -deststorepass changeit
Basic configuration in UCR
We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in `/etc/dovecot/master-users` as well as in `/etc/dovecot-master.secret`.
p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')"
echo -n "$p" > /etc/dovecot-master.secret
chmod 600 /etc/dovecot-master.secret
ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" \
ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@"
ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' \
ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' \
ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' \
ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \
ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'
Configuration files for SAML IdP
Besides the UCR configuration parameters, we also have to set up two configuration files. Those will contain the FQDNs of SSO, Portal and OX itself in various locations.
cat <<__EOT_asconfig__ > /opt/open-xchange/etc/as-config.yml
# Override certain settings
default:
host: all
samlLogin: true
logoutLocation: 'https://${SSO_FQDN}/simplesamlphp/saml2/idp/initSLO.php?RelayState=/simplesamlphp/logout.php'
# Override certain settings for certain hosts
#myhost:
# host: myexchange.myhost.mytld
# someConfig: some overriding value
__EOT_asconfig__
saml.properties is a relatively big file. This is reflected in the following command.
cat <<__EOT__ >/opt/open-xchange/etc/saml.properties # Configuration of SAML UCS properties # Please refer to: https://documentation.open-xchange.com/components/middleware/config/7.10.1/#mode=search&term=open-xchange-saml-ucs # If UCS SAMLBackend is enabled com.openexchange.saml.ucs.enabled = true # The id inside the saml authnResponse which holds the userinformation #com.openexchange.saml.ucs.id = mailPrimaryAddress com.openexchange.saml.ucs.id = uid # URL of where the users are redirected after logout com.openexchange.saml.ucs.logoutRedirectUrl = https://${PORTAL_FQDN}/univention/portal/ # The URL to redirect to in case the SAML back-end fails to look up the authenticated user. When left empty or not set, an HTTP 500 error page is sent instead. #com.openexchange.saml.ucs.failureRedirect # The URL to redirect to in case the SAML back-end has an error, when the user logs out. When left empty or not set, the value of com.openexchange.saml.ucs.failure.redirect is used. #com.openexchange.saml.ucs.logoutFailureRedirect # The full path to a Java keyStore containing the IdPs certificate. com.openexchange.saml.ucs.keyStore = /etc/ssl/certs/java/cacerts #com.openexchange.saml.ucs.keyStore = /root/my-keystore.jks # Password to open the keyStore. com.openexchange.saml.ucs.keyStorePass = changeit # The alias of the IdP certificate entry within the keyStore. #com.openexchange.saml.ucs.certAlias = Univention_Corporate_Server_Root_CA_(ID=ImIfa9H9) com.openexchange.saml.ucs.certAlias = ${SSO_FQDN} # The alias of the signingKey entry within the keyStore. #com.openexchange.saml.ucs.signingKeyAlias # The password of the signingKey entry within the keyStore. #com.openexchange.saml.ucs.signingKeyPassword # The alias of the decryptionKey entry within the keyStore. #com.openexchange.saml.ucs.decryptionKeyAlias # The password of the decryptionKey entry within the keystore. #com.openexchange.saml.ucs.decryptionKeyPassword