AppSuite:UCS OIDC SSO with OX App Suite: Difference between revisions
No edit summary |
m (Khgras moved page AppSuite:UCS ODIC SSO with OX App Suite to AppSuite:UCS OIDC SSO with OX App Suite) |
(No difference)
|
Latest revision as of 05:53, 26 October 2021
Univention Corporate Server OIDC-SSO Configuration with OX App Suite
Preconditions
Before starting the configuration process, it is advisable to test the SAML login to UCS to ensure that it works. Authentication via SAML login works as follows. This is required, because OIDC uses SAML as an authentication base.
https://<Hostname>/univention/saml
Configuration
Setting FQDNs
The following three variables have to be set according to the environment. Multiple or all variables can contain the same FQDN.
# FQDN for accessing the SSO - can be found in UCR: ucr get ucs/server/sso/fqdn SSO_FQDN=ucs-sso.domain.name # FQDN for accessing the portal PORTAL_FQDN=portal.domain.name # FQDN for accessing OX MAIL_FQDN=mail.domain.name
Adjusting the provisioning
The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a imapLogin
field that is used by OX to log in to the user's inbox. As default it is set to the user's mail address. If SSO is to be used, it has to be appended with an asterisk and the mail server's master user. For Dovecot this would be *dovecotadmin
and looks as follows:
meinuser@maildomain.de*dovecotadmin
The following two commands have to be executed to let the users be provisioned respectively by the listener:
ucr set ox/listener/imaplogin_value='{}*dovecotadmin' service univention-directory-listener restart
Adjusting existing users
For already existing users, the imapLogin field has to be adjusted. See: How To: Change the OX attribute imaplogin for existing users
Installing packages
univention-app install openid-connect-provider
univention-install open-xchange-oidc-ucs open-xchange-authentication-ucs open-xchange-authentication-ucs-common open-xchange-oidc-ucs
Getting UCR variables into the shell
As we will need UCR variables for the following steps, we'll get them as shell variables:
eval "$(ucr shell)"
Verify IdP Metadata is available
The IdP Metadata is reachable via https://ucs-sso.domain.name/.well-known/openid-configuration
Configure default Signing method for IdP
As OX does not support the default singing method, it must be changed to a supported value
univention-app configure openid-connect-provider --set oidc/konnectd/signing_method=RS256
Add OX as an RP to the IdP
client_id=openxchange client_secret=averylongsecret FQDN=ox-server-fqdn redirectURI=https://$FQDN/appsuite/api/oidc/auth udm oidc/rpservice create --set name=openxchange --position cn=oidc,cn=univention,$(ucr get ldap/base) --set clientid=$client_id --set clientsecret=$client_secret --set trusted=yes --set applicationtype=web --set redirectURI=https://$FQDN/appsuite/api/oidc/auth
Basic configuration in UCR
We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in /etc/dovecot/master-users
as well as in /etc/dovecot-master.secret
.
p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')" echo -n "$p" > /etc/dovecot-master.secret chmod 600 /etc/dovecot-master.secret ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" \ ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@" ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' \ ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' \ ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' \ ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \ ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'
Configuration files for OIDC
Besides the UCR configuration parameters, we also have to set up two configuration files. Those will contain the FQDNs of SSO, Portal and OX itself in various locations.
cat <<__EOT_asconfig__ > /opt/open-xchange/etc/as-config.yml # Override certain settings default: host: all samlLogin: false oidcLogin: true oidcPath: /oidc # Override certain settings for certain hosts #myhost: # host: myexchange.myhost.mytld # someConfig: some overriding value __EOT_asconfig__
Create properties file
touch /opt/open-xchange/etc/openid.properties
Configure openid on OX
Issuer="https://${SSO_FQDN}" userInfoEndpoint="${Issuer}/konnect/v1/userinfo" authEndpoint="${Issuer}/signin/v1/identifier/_/authorize" tokenEndpoint="${Issuer}/konnect/v1/token" jwkSetEndpoint="${Issuer}/konnect/v1/jwks.json"
ucr set set ox/cfg/authplugin.properties/com.openexchange.authentication.ucs.searchFilter='(&(objectClass=oxUserObject)(|(uid=%s)(mailPrimaryAddress=%s)))' \ ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin=false \ ox/cfg/openid.properties/com.openexchange.oidc.enabled=true \ ox/cfg/openid.properties/com.openexchange.oidc.ucs.enabled=true \ ox/cfg/openid.properties/com.openexchange.oidc.startDefaultBackend=false \ ox/cfg/openid.properties/com.openexchange.oidc.clientId="$client_id" \ ox/cfg/openid.properties/com.openexchange.oidc.clientSecret="$client_secret" \ ox/cfg/openid.properties/com.openexchange.oidc.opIssuer="$Issuer" \ ox/cfg/openid.properties/com.openexchange.oidc.ucs.userInfoEndpoint="$userInfoEndpoint" \ ox/cfg/openid.properties/com.openexchange.oidc.opAuthorizationEndpoint="$authEndpoint" \ ox/cfg/openid.properties/com.openexchange.oidc.opTokenEndpoint="$tokenEndpoint" \ ox/cfg/openid.properties/com.openexchange.oidc.opJwkSetEndpoint="$jwkSetEndpoint" \ ox/cfg/openid.properties/com.openexchange.oidc.jwsAlgorithm=RS256 \ ox/cfg/openid.properties/com.openexchange.oidc.scope="email;openid;profile;offline_access" \ ox/cfg/openid.properties/com.openexchange.oidc.userLookupClaim=email \ ox/cfg/openid.properties/com.openexchange.oidc.rpRedirectURIAuth="$redirectURI"
Adjusting the Dovecot configuration
Dovecot only allows the access with a master user by OX if the following file has been created:
cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/91-acl_user.conf plugin { acl_user = %u } _EOT_ACL_
Re-starting services
Dovecot and OX have to be re-started now. The commands shouldn't run long; the OX re-start in the background though can take some time, depending on the system.
/etc/init.d/dovecot restart service open-xchange restart