AppSuite:UCS OIDC SSO with OX App Suite

Revision as of 05:24, 26 October 2021 by Khgras (talk | contribs) (Add OX as an RP to the IdP)

Univention Corporate Server ODIC-SSO Configuration with OX App Suite

Preconditions

Before starting the configuration process, it is advisable to test the SAML login to UCS to ensure that it works. Authentication via SAML login works as follows. This is required, because OIDC uses SAML as an authentication base.

https://<Hostname>/univention/saml

Configuration

Setting FQDNs

The following three variables have to be set according to the environment. Multiple or all variables can contain the same FQDN.

# FQDN for accessing the SSO - can be found in UCR: ucr get ucs/server/sso/fqdn
SSO_FQDN=ucs-sso.domain.name

# FQDN for accessing the portal
PORTAL_FQDN=portal.domain.name

# FQDN for accessing OX
MAIL_FQDN=mail.domain.name

Adjusting the provisioning

The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a imapLogin field that is used by OX to log in to the user's inbox. As default it is set to the user's mail address. If SSO is to be used, it has to be appended with an asterisk and the mail server's master user. For Dovecot this would be *dovecotadmin and looks as follows:

meinuser@maildomain.de*dovecotadmin

The following two commands have to be executed to let the users be provisioned respectively by the listener:

ucr set ox/listener/imaplogin_value='{}*dovecotadmin'
service univention-directory-listener restart

Adjusting existing users

For already existing users, the imapLogin field has to be adjusted. See: How To: Change the OX attribute imaplogin for existing users

Installing packages

univention-app install openid-connect-provider
univention-install open-xchange-oidc-ucs open-xchange-authentication-ucs open-xchange-authentication-ucs-common open-xchange-oidc-ucs

Getting UCR variables into the shell

As we will need UCR variables for the following steps, we'll get them as shell variables:

eval "$(ucr shell)"

Verify IdP Metadata is available

The IdP Metadata is reachable via https://ucs-sso.domain.name/.well-known/openid-configuration

Configure default Signing method for IdP

As OX does not support the default singing method, it must be changed to a supported value

univention-app configure openid-connect-provider --set oidc/konnectd/signing_method=RS256

Add OX as an RP to the IdP

client_id=openxchange
client_secret=averylongsecret
FQDN=ox-server-fqdn
redirectURI=https://$FQDN/appsuite/api/oidc/auth
udm oidc/rpservice create --set name=openxchange --position cn=oidc,cn=univention,$(ucr get ldap/base) --set  clientid=$client_id --set clientsecret=$client_secret --set trusted=yes --set applicationtype=web --set  redirectURI=https://$FQDN/appsuite/api/oidc/auth

Basic configuration in UCR

We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in /etc/dovecot/master-users as well as in /etc/dovecot-master.secret.

p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')"

echo -n "$p" > /etc/dovecot-master.secret
chmod 600 /etc/dovecot-master.secret

ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" \
       ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@"

ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' \
        ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' \
        ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' \
        ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \
        ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'

Configuration files for OIDC

Besides the UCR configuration parameters, we also have to set up two configuration files. Those will contain the FQDNs of SSO, Portal and OX itself in various locations.

cat <<__EOT_asconfig__ > /opt/open-xchange/etc/as-config.yml
# Override certain settings
default:
    host: all
    samlLogin: false
    oidcLogin: true
    oidcPath: /oidc

# Override certain settings for certain hosts
#myhost:
#    host: myexchange.myhost.mytld
#    someConfig: some overriding value
__EOT_asconfig__

Create properties file

touch /opt/open-xchange/etc/openid.properties

Configure openid on OX

Issuer="https://${SSO_FQDN}/"
userInfoEndpoint="${Issuer}konnect/v1/userinfo"
authEndpoint="${Issuer}signin/v1/identifier/_/authorize"
tokenEndpoint="${Issuer}konnect/v1/token"
jwkSetEndpoint="${Issuer}konnect/v1/jwks.json"
ucr set ox/cfg/authplugin.properties/com.openexchange.authentication.ucs.searchFilter='(&(objectClass=oxUserObject)(|(uid=%s)(mailPrimaryAddress=%s)))' \
    ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin=false \
    ox/cfg/openid.properties/com.openexchange.oidc.enabled=true \
    ox/cfg/openid.properties/com.openexchange.oidc.ucs.enabled=true \
    ox/cfg/openid.properties/com.openexchange.oidc.startDefaultBackend=false \
    ox/cfg/openid.properties/com.openexchange.oidc.clientId="$client_is" \
    ox/cfg/openid.properties/com.openexchange.oidc.clientSecret="$client_secret" \
    ox/cfg/openid.properties/com.openexchange.oidc.opIssuer="$Issuer" \
    ox/cfg/openid.properties/com.openexchange.oidc.ucs.userInfoEndpoint="$userInfoEndpoint" \
    ox/cfg/openid.properties/com.openexchange.oidc.opAuthorizationEndpoint="$authEndpoint" \
    ox/cfg/openid.properties/com.openexchange.oidc.opTokenEndpoint="$tokenEndpoint" \
    ox/cfg/openid.properties/com.openexchange.oidc.opJwkSetEndpoint="$jwkSetEndpoint" \
    ox/cfg/openid.properties/com.openexchange.oidc.jwsAlgorithm=RS256 \
    ox/cfg/openid.properties/com.openexchange.oidc.scope="email;openid;profile;offline_access" \
    ox/cfg/openid.properties/com.openexchange.oidc.userLookupClaim=email

Adjusting the Dovecot configuration

Dovecot only allows the access with a master user by OX if the following file has been created:

cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/91-acl_user.conf
plugin {
 acl_user = %u
}
_EOT_ACL_

Re-starting services

Dovecot and OX have to be re-started now. The commands shouldn't run long; the OX re-start in the background though can take some time, depending on the system.

/etc/init.d/dovecot restart

/etc/init.d/open-xchange restart