AppSuite:UCS SAML SSO with OX App Suite: Difference between revisions

From Open-Xchange
No edit summary
(Replaced content with " <div style="overflow: auto;"><div style="border-width:3px; border-style:solid; padding:5px; margin:1em; margin-left:5em; margin-right:5em;">[https://oxpedia.org/wiki/index.php?title=AppSuite:UCS_OIDC_SSO_with_OX_App_Suite Corporate Server OIDC-SSO Configuration with OX App Suite]</div></div> = Univention Corporate Server SAML-SSO Configuration with OX App Suite = == Preconditions == Before starting the configuration process, it is advisable to test the SAML login...")
Tag: Replaced
 
(9 intermediate revisions by the same user not shown)
Line 1: Line 1:
<div style="overflow: auto;"><div style="border-width:3px; border-style:solid; padding:5px; margin:1em; margin-left:5em; margin-right:5em;">[https://oxpedia.org/wiki/index.php?title=AppSuite:UCS_OIDC_SSO_with_OX_App_Suite Corporate Server OIDC-SSO Configuration with OX App Suite]</div></div>
= Univention Corporate Server SAML-SSO Configuration with OX App Suite =
= Univention Corporate Server SAML-SSO Configuration with OX App Suite =


Line 7: Line 10:
  https://<Hostname>/univention/saml
  https://<Hostname>/univention/saml


== Configuration ==
== Migration OX App Suite SSO to Keycloak ==
 
=== Setting FQDNs ===
 
The following three variables have to be set according to the environment. Multiple or all variables can contain the same FQDN.
 
# FQDN for accessing the SSO - can be found in UCR: ucr get ucs/server/sso/fqdn
SSO_FQDN=ucs-sso.domain.name
# FQDN for accessing the portal
PORTAL_FQDN=portal.domain.name
# FQDN for accessing OX
MAIL_FQDN=mail.domain.name
 
=== Adjusting the provisioning ===
 
The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a "imapLogin" field that is used by OX to log in to the user's inbox. As default it is set to the user's mail address. If SSO is to be used, it has to be appended with an asterisk and the mail server's master user. For Dovecot this would be <code>dovecotadmin</code> and looks as follows:
 
meinuser@maildomain.de*dovecotadmin
 
The following two commands have to be executed to let the users be provisioned respectively by the listener:
 
ucr set ox/listener/imaplogin_value='{}*dovecotadmin'
service univention-directory-listener crestart
 
==== Adjusting existing users ====
 
For already existing users, the imapLogin field has to be adjusted. See: [https://help.univention.com/t/how-to-change-the-ox-attribute-imaplogin-for-existing-users/14455 How To: Change the OX attribute imaplogin for existing users]
 
=== Installing packages ===
 
univention-install open-xchange-saml-ucs open-xchange-saml
 
=== Getting UCR variables into the shell ===
 
As we will need UCR variables for the following steps, we'll get them as shell variables:
 
eval "$(ucr shell)"
 
=== Importing the SAML IdPs certificate into the Java Keystore ===
 
For OX to be able to validate the certificate that is used for signing the SAML Assertions, it has to be imported into the Java Keystore.
 
openssl pkcs12 -export -in /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.crt -inkey /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.key -chain -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -name "${SSO_FQDN}" -out ${SSO_FQDN}.p12 -password pass:changeit
keytool -importkeystore -deststorepass changeit -destkeystore my-keystore.jks -srckeystore ${SSO_FQDN}.p12 -srcstoretype PKCS12 -srcstorepass changeit
keytool -export -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore my-keystore.jks -deststorepass changeit
keytool -import -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore /etc/ssl/certs/java/cacerts -deststorepass changeit
 
=== Basic configuration in UCR ===
 
We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in `/etc/dovecot/master-users` as well as in `/etc/dovecot-master.secret`.


p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')"
The previously provided configuration information is outdated. Please follow the steps outlined in the migration guide available at: https://help.univention.com/t/howto-migrate-ox-sso-to-keycloak/24053/1
echo -n "$p" > /etc/dovecot-master.secret
chmod 600 /etc/dovecot-master.secret
ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" \
        ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@"
ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' \
        ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' \
        ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' \
        ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \
        ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'

Latest revision as of 07:51, 23 May 2025

Univention Corporate Server SAML-SSO Configuration with OX App Suite

Preconditions

Before starting the configuration process, it is advisable to test the SAML login to UCS to ensure that it works. Authentication via SAML login works as follows. 

https://<Hostname>/univention/saml

Migration OX App Suite SSO to Keycloak

The previously provided configuration information is outdated. Please follow the steps outlined in the migration guide available at: https://help.univention.com/t/howto-migrate-ox-sso-to-keycloak/24053/1

Retrieved from "https://wiki.open-xchange.com/wiki/index.php?title=AppSuite:UCS_SAML_SSO_with_OX_App_Suite&oldid=28920"