Difference between revisions of "AppSuite:UCS SAML SSO with OX App Suite"

 
Line 1: Line 1:
  
<div style="overflow: auto;"><div style="border-width:3px; border-style:solid; padding:5px; margin:1em; margin-left:5em; margin-right:5em;">[https://oxpedia.org/wiki/index.php?title=AppSuite:UCS_ODIC_SSO_with_OX_App_Suite Univention Corporate Server ODIC-SSO Configuration with OX App Suite]</div></div>
+
<div style="overflow: auto;"><div style="border-width:3px; border-style:solid; padding:5px; margin:1em; margin-left:5em; margin-right:5em;">[https://oxpedia.org/wiki/index.php?title=AppSuite:UCS_OIDC_SSO_with_OX_App_Suite Corporate Server OIDC-SSO Configuration with OX App Suite]</div></div>
  
 
= Univention Corporate Server SAML-SSO Configuration with OX App Suite =
 
= Univention Corporate Server SAML-SSO Configuration with OX App Suite =

Latest revision as of 05:54, 26 October 2021

Univention Corporate Server SAML-SSO Configuration with OX App Suite

Preconditions

Before starting the configuration process, it is advisable to test the SAML login to UCS to ensure that it works. Authentication via SAML login works as follows.

https://<Hostname>/univention/saml

Configuration

Setting FQDNs

The following three variables have to be set according to the environment. Multiple or all variables can contain the same FQDN.

# FQDN for accessing the SSO - can be found in UCR: ucr get ucs/server/sso/fqdn
SSO_FQDN=ucs-sso.domain.name

# FQDN for accessing the portal
PORTAL_FQDN=portal.domain.name

# FQDN for accessing OX
MAIL_FQDN=mail.domain.name

Adjusting the provisioning

The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a imapLogin field that is used by OX to log in to the user's inbox. As default it is set to the user's mail address. If SSO is to be used, it has to be appended with an asterisk and the mail server's master user. For Dovecot this would be *dovecotadmin and looks as follows:

meinuser@maildomain.de*dovecotadmin

The following two commands have to be executed to let the users be provisioned respectively by the listener:

ucr set ox/listener/imaplogin_value='{}*dovecotadmin'
service univention-directory-listener crestart

Adjusting existing users

For already existing users, the imapLogin field has to be adjusted. See: How To: Change the OX attribute imaplogin for existing users

Installing packages

univention-install open-xchange-saml-ucs open-xchange-saml

Getting UCR variables into the shell

As we will need UCR variables for the following steps, we'll get them as shell variables:

eval "$(ucr shell)"

Importing the SAML IdPs certificate into the Java Keystore

For OX to be able to validate the certificate that is used for signing the SAML Assertions, it has to be imported into the Java Keystore.

openssl pkcs12 -export -in /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.crt -inkey /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.key -chain -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -name "${SSO_FQDN}" -out ${SSO_FQDN}.p12 -password pass:changeit

keytool -importkeystore -deststorepass changeit -destkeystore my-keystore.jks -srckeystore ${SSO_FQDN}.p12 -srcstoretype PKCS12 -srcstorepass changeit

keytool -export -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore my-keystore.jks -deststorepass changeit

keytool -import -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore /etc/ssl/certs/java/cacerts -deststorepass changeit

Basic configuration in UCR

We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in /etc/dovecot/master-users as well as in /etc/dovecot-master.secret.

p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')"

echo -n "$p" > /etc/dovecot-master.secret
chmod 600 /etc/dovecot-master.secret

ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" \
       ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@"

ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' \
        ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' \
        ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' \
        ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \
        ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'

Configuration files for SAML IdP

Besides the UCR configuration parameters, we also have to set up two configuration files. Those will contain the FQDNs of SSO, Portal and OX itself in various locations.

cat <<__EOT_asconfig__ > /opt/open-xchange/etc/as-config.yml
# Override certain settings
default:
    host: all
    samlLogin: true
    logoutLocation: 'https://${SSO_FQDN}/simplesamlphp/saml2/idp/initSLO.php?RelayState=/simplesamlphp/logout.php'

# Override certain settings for certain hosts
#myhost:
#    host: myexchange.myhost.mytld
#    someConfig: some overriding value
__EOT_asconfig__

Regarding the configuration of SAML UCS properties, please refer to: https://documentation.open-xchange.com/components/middleware/config/7.10.1/#mode=search&term=open-xchange-saml-ucs

The saml.properties file can be edited using UCR variables:

ucr set \
  ox/cfg/saml.properties/com.openexchange.saml.ucs.enabled=true \
  ox/cfg/saml.properties/com.openexchange.saml.ucs.id=uid \
  ox/cfg/saml.properties/com.openexchange.saml.ucs.logoutRedirectUrl=https://${PORTAL_FQDN}/univention/portal/ \
  ox/cfg/saml.properties/com.openexchange.saml.ucs.keyStore=/etc/ssl/certs/java/cacerts \
  ox/cfg/saml.properties/com.openexchange.saml.ucs.keyStorePass=changeit \
  ox/cfg/saml.properties/com.openexchange.saml.ucs.certAlias = ${SSO_FQDN} \
  ox/cfg/saml.properties/com.openexchange.saml.enabled=true \
  ox/cfg/saml.properties/com.openexchange.saml.enableMetadataService=true \
  ox/cfg/saml.properties/com.openexchange.saml.enableSingleLogout=true \
  ox/cfg/saml.properties/com.openexchange.saml.entityID=https://${MAIL_FQDN}/appsuite/ \
  ox/cfg/saml.properties/com.openexchange.saml.providerName="Open-Xchange Service Provider" \
  ox/cfg/saml.properties/com.openexchange.saml.acsURL=https://${MAIL_FQDN}/appsuite/api/saml/acs \
  ox/cfg/saml.properties/com.openexchange.saml.slsURL=https://${MAIL_FQDN}/appsuite/api/saml/sls \
  ox/cfg/saml.properties/com.openexchange.saml.logoutResponseBinding=http-redirect \
  ox/cfg/saml.properties/com.openexchange.saml.logoutResponseTemplate=saml.logout.response.html.tmpl
  ox/cfg/saml.properties/com.openexchange.saml.idpEntityID=https://${SSO_FQDN}/simplesamlphp/saml2/idp/metadata.php \
  ox/cfg/saml.properties/com.openexchange.saml.idpAuthnURL=https://${SSO_FQDN}/simplesamlphp/saml2/idp/SSOService.php \
  ox/cfg/saml.properties/com.openexchange.saml.idpLogoutURL=https://${SSO_FQDN}/simplesamlphp/saml2/idp/SingleLogoutService.php \
  ox/cfg/saml.properties/com.openexchange.saml.enableAutoLogin=false \
  ox/cfg/saml.properties  ox/cfg/saml.properties/com.openexchange.saml.allowUnsolicitedResponses=true

Adjusting the Dovecot configuration

Dovecot only allows the access with a master user by OX if the following file has been created:

cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/91-acl_user.conf
plugin {
 acl_user = %u
}
_EOT_ACL_

Re-starting services

Dovecot and OX have to be re-started now. The commands shouldn't run long; the OX re-start in the background though can take some time, depending on the system.

/etc/init.d/dovecot restart

/etc/init.d/open-xchange restart

Creating service provider in UCS

To make OX Service Provider known by the UCS Identity Provider, we'll add it via UDM:

udm saml/serviceprovider create \
--ignore_exists \
--position "cn=saml-serviceprovider,cn=univention,$ldap_base" \
--set Identifier="https://${MAIL_FQDN}/appsuite/" \
--set AssertionConsumerService="https://${MAIL_FQDN}/appsuite/api/saml/acs" \
--set singleLogoutService="https://${MAIL_FQDN}/appsuite/api/saml/sls" \
--set LDAPattributes="mailPrimaryAddress" \
--set LDAPattributes="uid" \
--set NameIDFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" \
--set attributesNameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" \
--set isActivated="TRUE" \
--set serviceProviderOrganizationName="Open-Xchange Service Provider" \
--set simplesamlAttributes="TRUE" \
--set simplesamlNameIDAttribute="uid" \
--set signLogouts="TRUE"

Single users or groups can now get permissions for this service provider. To e.g. grant access to all users, the Domain Users group can get permission for the service provider. This does not work for UCS@school environments. For those, the respective Domain Users <School> groups have to get separate permissions.

udm groups/group modify \
--dn "cn=Domain Users,cn=groups,${ldap_base}" \
--append serviceprovidergroup=SAMLServiceProviderIdentifier=https://${MAIL_FQDN}/appsuite/,cn=saml-serviceprovider,cn=univention,${ldap_base}