AppSuite:UCS SAML SSO with OX App Suite: Difference between revisions
No edit summary |
No edit summary |
||
(8 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
<div style="overflow: auto;"><div style="border-width:3px; border-style:solid; padding:5px; margin:1em; margin-left:5em; margin-right:5em;">[https://oxpedia.org/wiki/index.php?title=AppSuite:UCS_OIDC_SSO_with_OX_App_Suite Corporate Server OIDC-SSO Configuration with OX App Suite]</div></div> | |||
= Univention Corporate Server SAML-SSO Configuration with OX App Suite = | = Univention Corporate Server SAML-SSO Configuration with OX App Suite = | ||
Line 24: | Line 27: | ||
=== Adjusting the provisioning === | === Adjusting the provisioning === | ||
The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a | The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a <code>imapLogin</code> field that is used by OX to log in to the user's inbox. As default it is set to the user's mail address. If SSO is to be used, it has to be appended with an asterisk and the mail server's master user. For Dovecot this would be <code>*dovecotadmin</code> and looks as follows: | ||
meinuser@maildomain.de*dovecotadmin | meinuser@maildomain.de*dovecotadmin | ||
Line 61: | Line 64: | ||
=== Basic configuration in UCR === | === Basic configuration in UCR === | ||
We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in | We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in <code>/etc/dovecot/master-users</code> as well as in <code>/etc/dovecot-master.secret</code>. | ||
p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')" | p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')" | ||
Line 76: | Line 79: | ||
ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \ | ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \ | ||
ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false' | ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false' | ||
=== Configuration files for SAML IdP === | |||
Besides the UCR configuration parameters, we also have to set up two configuration files. Those will contain the FQDNs of SSO, Portal and OX itself in various locations. | |||
cat <<__EOT_asconfig__ > /opt/open-xchange/etc/as-config.yml | |||
# Override certain settings | |||
default: | |||
host: all | |||
samlLogin: true | |||
logoutLocation: 'https://${SSO_FQDN}/simplesamlphp/saml2/idp/initSLO.php?RelayState=/simplesamlphp/logout.php' | |||
# Override certain settings for certain hosts | |||
#myhost: | |||
# host: myexchange.myhost.mytld | |||
# someConfig: some overriding value | |||
__EOT_asconfig__ | |||
Regarding the configuration of SAML UCS properties, please refer to: https://documentation.open-xchange.com/components/middleware/config/7.10.1/#mode=search&term=open-xchange-saml-ucs | |||
The <code>saml.properties</code> file can be edited using UCR variables: | |||
ucr set \ | |||
ox/cfg/saml.properties/com.openexchange.saml.ucs.enabled=true \ | |||
ox/cfg/saml.properties/com.openexchange.saml.ucs.id=uid \ | |||
ox/cfg/saml.properties/com.openexchange.saml.ucs.logoutRedirectUrl=https://${PORTAL_FQDN}/univention/portal/ \ | |||
ox/cfg/saml.properties/com.openexchange.saml.ucs.keyStore=/etc/ssl/certs/java/cacerts \ | |||
ox/cfg/saml.properties/com.openexchange.saml.ucs.keyStorePass=changeit \ | |||
ox/cfg/saml.properties/com.openexchange.saml.ucs.certAlias = ${SSO_FQDN} \ | |||
ox/cfg/saml.properties/com.openexchange.saml.enabled=true \ | |||
ox/cfg/saml.properties/com.openexchange.saml.enableMetadataService=true \ | |||
ox/cfg/saml.properties/com.openexchange.saml.enableSingleLogout=true \ | |||
ox/cfg/saml.properties/com.openexchange.saml.entityID=https://${MAIL_FQDN}/appsuite/ \ | |||
ox/cfg/saml.properties/com.openexchange.saml.providerName="Open-Xchange Service Provider" \ | |||
ox/cfg/saml.properties/com.openexchange.saml.acsURL=https://${MAIL_FQDN}/appsuite/api/saml/acs \ | |||
ox/cfg/saml.properties/com.openexchange.saml.slsURL=https://${MAIL_FQDN}/appsuite/api/saml/sls \ | |||
ox/cfg/saml.properties/com.openexchange.saml.logoutResponseBinding=http-redirect \ | |||
ox/cfg/saml.properties/com.openexchange.saml.logoutResponseTemplate=saml.logout.response.html.tmpl | |||
ox/cfg/saml.properties/com.openexchange.saml.idpEntityID=https://${SSO_FQDN}/simplesamlphp/saml2/idp/metadata.php \ | |||
ox/cfg/saml.properties/com.openexchange.saml.idpAuthnURL=https://${SSO_FQDN}/simplesamlphp/saml2/idp/SSOService.php \ | |||
ox/cfg/saml.properties/com.openexchange.saml.idpLogoutURL=https://${SSO_FQDN}/simplesamlphp/saml2/idp/SingleLogoutService.php \ | |||
ox/cfg/saml.properties/com.openexchange.saml.enableAutoLogin=false \ | |||
ox/cfg/saml.properties ox/cfg/saml.properties/com.openexchange.saml.allowUnsolicitedResponses=true | |||
=== Adjusting the Dovecot configuration === | |||
Dovecot only allows the access with a master user by OX if the following file has been created: | |||
cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/91-acl_user.conf | |||
plugin { | |||
acl_user = %u | |||
} | |||
_EOT_ACL_ | |||
=== Re-starting services === | |||
Dovecot and OX have to be re-started now. The commands shouldn't run long; the OX re-start in the background though can take some time, depending on the system. | |||
/etc/init.d/dovecot restart | |||
/etc/init.d/open-xchange restart | |||
=== Creating service provider in UCS === | |||
To make OX Service Provider known by the UCS Identity Provider, we'll add it via UDM: | |||
udm saml/serviceprovider create \ | |||
--ignore_exists \ | |||
--position "cn=saml-serviceprovider,cn=univention,$ldap_base" \ | |||
--set Identifier="https://${MAIL_FQDN}/appsuite/" \ | |||
--set AssertionConsumerService="https://${MAIL_FQDN}/appsuite/api/saml/acs" \ | |||
--set singleLogoutService="https://${MAIL_FQDN}/appsuite/api/saml/sls" \ | |||
--set LDAPattributes="mailPrimaryAddress" \ | |||
--set LDAPattributes="uid" \ | |||
--set NameIDFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" \ | |||
--set attributesNameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" \ | |||
--set isActivated="TRUE" \ | |||
--set serviceProviderOrganizationName="Open-Xchange Service Provider" \ | |||
--set simplesamlAttributes="TRUE" \ | |||
--set simplesamlNameIDAttribute="uid" \ | |||
--set signLogouts="TRUE" | |||
Single users or groups can now get permissions for this service provider. To e.g. grant access to all users, the Domain Users group can get permission for the service provider. This does not work for UCS@school environments. For those, the respective <code>Domain Users <School></code> groups have to get separate permissions. | |||
udm groups/group modify \ | |||
--dn "cn=Domain Users,cn=groups,${ldap_base}" \ | |||
--append serviceprovidergroup=SAMLServiceProviderIdentifier=https://${MAIL_FQDN}/appsuite/,cn=saml-serviceprovider,cn=univention,${ldap_base} |
Latest revision as of 05:54, 26 October 2021
Univention Corporate Server SAML-SSO Configuration with OX App Suite
Preconditions
Before starting the configuration process, it is advisable to test the SAML login to UCS to ensure that it works. Authentication via SAML login works as follows.
https://<Hostname>/univention/saml
Configuration
Setting FQDNs
The following three variables have to be set according to the environment. Multiple or all variables can contain the same FQDN.
# FQDN for accessing the SSO - can be found in UCR: ucr get ucs/server/sso/fqdn SSO_FQDN=ucs-sso.domain.name # FQDN for accessing the portal PORTAL_FQDN=portal.domain.name # FQDN for accessing OX MAIL_FQDN=mail.domain.name
Adjusting the provisioning
The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a imapLogin
field that is used by OX to log in to the user's inbox. As default it is set to the user's mail address. If SSO is to be used, it has to be appended with an asterisk and the mail server's master user. For Dovecot this would be *dovecotadmin
and looks as follows:
meinuser@maildomain.de*dovecotadmin
The following two commands have to be executed to let the users be provisioned respectively by the listener:
ucr set ox/listener/imaplogin_value='{}*dovecotadmin' service univention-directory-listener crestart
Adjusting existing users
For already existing users, the imapLogin field has to be adjusted. See: How To: Change the OX attribute imaplogin for existing users
Installing packages
univention-install open-xchange-saml-ucs open-xchange-saml
Getting UCR variables into the shell
As we will need UCR variables for the following steps, we'll get them as shell variables:
eval "$(ucr shell)"
Importing the SAML IdPs certificate into the Java Keystore
For OX to be able to validate the certificate that is used for signing the SAML Assertions, it has to be imported into the Java Keystore.
openssl pkcs12 -export -in /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.crt -inkey /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.key -chain -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -name "${SSO_FQDN}" -out ${SSO_FQDN}.p12 -password pass:changeit keytool -importkeystore -deststorepass changeit -destkeystore my-keystore.jks -srckeystore ${SSO_FQDN}.p12 -srcstoretype PKCS12 -srcstorepass changeit keytool -export -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore my-keystore.jks -deststorepass changeit keytool -import -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore /etc/ssl/certs/java/cacerts -deststorepass changeit
Basic configuration in UCR
We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in /etc/dovecot/master-users
as well as in /etc/dovecot-master.secret
.
p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')" echo -n "$p" > /etc/dovecot-master.secret chmod 600 /etc/dovecot-master.secret ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" \ ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@" ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' \ ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' \ ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' \ ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \ ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'
Configuration files for SAML IdP
Besides the UCR configuration parameters, we also have to set up two configuration files. Those will contain the FQDNs of SSO, Portal and OX itself in various locations.
cat <<__EOT_asconfig__ > /opt/open-xchange/etc/as-config.yml # Override certain settings default: host: all samlLogin: true logoutLocation: 'https://${SSO_FQDN}/simplesamlphp/saml2/idp/initSLO.php?RelayState=/simplesamlphp/logout.php' # Override certain settings for certain hosts #myhost: # host: myexchange.myhost.mytld # someConfig: some overriding value __EOT_asconfig__
Regarding the configuration of SAML UCS properties, please refer to: https://documentation.open-xchange.com/components/middleware/config/7.10.1/#mode=search&term=open-xchange-saml-ucs
The saml.properties
file can be edited using UCR variables:
ucr set \ ox/cfg/saml.properties/com.openexchange.saml.ucs.enabled=true \ ox/cfg/saml.properties/com.openexchange.saml.ucs.id=uid \ ox/cfg/saml.properties/com.openexchange.saml.ucs.logoutRedirectUrl=https://${PORTAL_FQDN}/univention/portal/ \ ox/cfg/saml.properties/com.openexchange.saml.ucs.keyStore=/etc/ssl/certs/java/cacerts \ ox/cfg/saml.properties/com.openexchange.saml.ucs.keyStorePass=changeit \ ox/cfg/saml.properties/com.openexchange.saml.ucs.certAlias = ${SSO_FQDN} \ ox/cfg/saml.properties/com.openexchange.saml.enabled=true \ ox/cfg/saml.properties/com.openexchange.saml.enableMetadataService=true \ ox/cfg/saml.properties/com.openexchange.saml.enableSingleLogout=true \ ox/cfg/saml.properties/com.openexchange.saml.entityID=https://${MAIL_FQDN}/appsuite/ \ ox/cfg/saml.properties/com.openexchange.saml.providerName="Open-Xchange Service Provider" \ ox/cfg/saml.properties/com.openexchange.saml.acsURL=https://${MAIL_FQDN}/appsuite/api/saml/acs \ ox/cfg/saml.properties/com.openexchange.saml.slsURL=https://${MAIL_FQDN}/appsuite/api/saml/sls \ ox/cfg/saml.properties/com.openexchange.saml.logoutResponseBinding=http-redirect \ ox/cfg/saml.properties/com.openexchange.saml.logoutResponseTemplate=saml.logout.response.html.tmpl ox/cfg/saml.properties/com.openexchange.saml.idpEntityID=https://${SSO_FQDN}/simplesamlphp/saml2/idp/metadata.php \ ox/cfg/saml.properties/com.openexchange.saml.idpAuthnURL=https://${SSO_FQDN}/simplesamlphp/saml2/idp/SSOService.php \ ox/cfg/saml.properties/com.openexchange.saml.idpLogoutURL=https://${SSO_FQDN}/simplesamlphp/saml2/idp/SingleLogoutService.php \ ox/cfg/saml.properties/com.openexchange.saml.enableAutoLogin=false \ ox/cfg/saml.properties ox/cfg/saml.properties/com.openexchange.saml.allowUnsolicitedResponses=true
Adjusting the Dovecot configuration
Dovecot only allows the access with a master user by OX if the following file has been created:
cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/91-acl_user.conf plugin { acl_user = %u } _EOT_ACL_
Re-starting services
Dovecot and OX have to be re-started now. The commands shouldn't run long; the OX re-start in the background though can take some time, depending on the system.
/etc/init.d/dovecot restart /etc/init.d/open-xchange restart
Creating service provider in UCS
To make OX Service Provider known by the UCS Identity Provider, we'll add it via UDM:
udm saml/serviceprovider create \ --ignore_exists \ --position "cn=saml-serviceprovider,cn=univention,$ldap_base" \ --set Identifier="https://${MAIL_FQDN}/appsuite/" \ --set AssertionConsumerService="https://${MAIL_FQDN}/appsuite/api/saml/acs" \ --set singleLogoutService="https://${MAIL_FQDN}/appsuite/api/saml/sls" \ --set LDAPattributes="mailPrimaryAddress" \ --set LDAPattributes="uid" \ --set NameIDFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" \ --set attributesNameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" \ --set isActivated="TRUE" \ --set serviceProviderOrganizationName="Open-Xchange Service Provider" \ --set simplesamlAttributes="TRUE" \ --set simplesamlNameIDAttribute="uid" \ --set signLogouts="TRUE"
Single users or groups can now get permissions for this service provider. To e.g. grant access to all users, the Domain Users group can get permission for the service provider. This does not work for UCS@school environments. For those, the respective Domain Users <School>
groups have to get separate permissions.
udm groups/group modify \ --dn "cn=Domain Users,cn=groups,${ldap_base}" \ --append serviceprovidergroup=SAMLServiceProviderIdentifier=https://${MAIL_FQDN}/appsuite/,cn=saml-serviceprovider,cn=univention,${ldap_base}