search

owncloud / configreport

GNU Affero General Public License v3.0
2 stars 3 forks source link

which environment variable needs to be used for SSO shibboleth authentication #38

Closed spaceone closed 7 years ago

spaceone commented 7 years ago

Hello,

we tried to setup Single Sign on for owncloud using Shibboleth as explained here: https://doc.owncloud.org/server/10.0/admin_manual/enterprise/user_management/user_auth_shibboleth.html?highlight=saml

We are using a Univention Corporate Server 4.2-1 as Identity Provider.

The set up succeeded so far, the SAML authentication at Apache with mod_shib seems to work but the owncloud service provider shows this error message during login:

The IdP did not pass the uid (persistent-id) properly to this service.
Please contact the administrator to get this resolved.

Question: Does shibboleth or owncloud provide an XML file describing the SAML service provider (urn:oasis:names:tc:SAML:2.0:metadata EntityDescriptor)?

Question: What values from the SAML Response message does mod_shib write into which environment variables? My SAML Response message contains a Name-ID and some attributes. Are the attributes necessary or does it only use the Name-ID? Which Name-ID Format do I need to specify then? From the /etc/shibboleth/attribute-map.xml it seems urn:oasis:names:tc:SAML:2.0:nameid-format:persistent needs to be used? Or is it urn:mace:dir:attribute-def:eduPersonPrincipalName?

If I access /Shibboleth.sso/Session I see:

Miscellaneous
Session Expiration (barring inactivity): 471 minute(s)
Client Address: 172.17.42.1
SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
Identity Provider: https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php
Authentication Time: 2017-08-25T15:58:53Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Authentication Context Decl: (none)

Attributes
persistent-id: 1 value(s)

So I set up:

# sudo -u www-data php occ shibboleth:mapping -u persistent-id
Checking "Shib-Session-ID" in environment to detect shibboleth session
Reading uid from "persistent-id"
Reading email from "eppn"
Reading display name from "eppn"

My SAML Response message looks like this:

<ns0:Response Destination="https://mdm.lmz.intranet/Shibboleth.sso/SAML2/POST" ID="_795936801ad234e082a3799f4368ae820046b8adf4" IssueInstant="2017-08-25T15:25:14Z" Version="2.0" xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <ns1:Issuer>https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php</ns1:Issuer>
        <ns0:Status>
                <ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
        </ns0:Status>
        <ns1:Assertion ID="_8e90456693fe68142c356be1625f5ab984d34ba52d" IssueInstant="2017-08-25T15:25:14Z" Version="2.0">
                <ns1:Issuer>https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php</ns1:Issuer>
                <ns1:Subject>
                        <ns1:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="https://mdm.lmz.intranet/shibboleth">michel02</ns1:NameID>
                        <ns1:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                                <ns1:SubjectConfirmationData NotOnOrAfter="2017-08-25T15:30:14Z" Recipient="https://mdm.lmz.intranet/Shibboleth.sso/SAML2/POST"/>
                        </ns1:SubjectConfirmation>
                </ns1:Subject>
                <ns1:Conditions NotBefore="2017-08-25T15:24:44Z" NotOnOrAfter="2017-08-25T15:30:14Z">
                        <ns1:AudienceRestriction>
                                <ns1:Audience>https://mdm.lmz.intranet/shibboleth</ns1:Audience>
                        </ns1:AudienceRestriction>
                </ns1:Conditions>
                <ns1:AuthnStatement AuthnInstant="2017-08-25T15:25:14Z" SessionIndex="_8b481d9bb18a09e0685716ccda9e4153ee61e089bb" SessionNotOnOrAfter="2017-08-25T23:25:14Z">
                        <ns1:AuthnContext>
                                <ns1:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns1:AuthnContextClassRef>
                        </ns1:AuthnContext>
                </ns1:AuthnStatement>
                <ns1:AttributeStatement>
                        <ns1:Attribute Name="uid">
                                <ns1:AttributeValue xsi:type="xs:string">michel02</ns1:AttributeValue>
                        </ns1:Attribute>
                        <ns1:Attribute Name="mailPrimaryAddress">
                                <ns1:AttributeValue xsi:type="xs:string">michel02@lmz.intranet</ns1:AttributeValue>
                        </ns1:Attribute>
                </ns1:AttributeStatement>
        </ns1:Assertion>
</ns0:Response>
spaceone commented 7 years ago 
2017-08-25 18:36:05 DEBUG OpenSAML.MessageDecoder.SAML2 [10]: extracting issuer from SAML 2.0 protocol message
2017-08-25 18:36:05 DEBUG OpenSAML.MessageDecoder.SAML2 [10]: message from (https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php)
2017-08-25 18:36:05 DEBUG OpenSAML.MessageDecoder.SAML2 [10]: searching metadata for message issuer...
2017-08-25 18:36:05 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [10]: evaluating message flow policy (replay checking on, expiration 60)
2017-08-25 18:36:05 DEBUG XMLTooling.StorageService [10]: inserted record (_6f6fb3922452d4d4b4512907d0615b6affcd434548) in context (MessageFlow) with expiration (1503679205)
2017-08-25 18:36:05 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [10]: validating signature profile
2017-08-25 18:36:05 DEBUG XMLTooling.TrustEngine.ExplicitKey [10]: attempting to validate signature with the peer's credentials
2017-08-25 18:36:05 DEBUG XMLTooling.TrustEngine.ExplicitKey [10]: signature validated with credential
2017-08-25 18:36:05 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [10]: signature verified against message issuer
2017-08-25 18:36:05 DEBUG Shibboleth.SSO.SAML2 [10]: processing message against SAML 2.0 SSO profile
2017-08-25 18:36:05 DEBUG Shibboleth.SSO.SAML2 [10]: extracting issuer from SAML 2.0 assertion
2017-08-25 18:36:05 DEBUG OpenSAML.SecurityPolicyRule.MessageFlow [10]: evaluating message flow policy (replay checking on, expiration 60)
2017-08-25 18:36:05 DEBUG XMLTooling.StorageService [10]: inserted record (_aafe5216875f75821a5d51496a7005d22c154ddb9b) in context (MessageFlow) with expiration (1503679205)
2017-08-25 18:36:05 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [10]: validating signature profile
2017-08-25 18:36:05 DEBUG XMLTooling.TrustEngine.ExplicitKey [10]: attempting to validate signature with the peer's credentials
2017-08-25 18:36:05 DEBUG XMLTooling.TrustEngine.ExplicitKey [10]: signature validated with credential
2017-08-25 18:36:05 DEBUG OpenSAML.SecurityPolicyRule.XMLSigning [10]: signature verified against message issuer
2017-08-25 18:36:05 DEBUG OpenSAML.SecurityPolicyRule.BearerConfirmation [10]: assertion satisfied bearer confirmation requirements
2017-08-25 18:36:05 DEBUG Shibboleth.SSO.SAML2 [10]: SSO profile processing completed successfully
2017-08-25 18:36:05 DEBUG Shibboleth.SSO.SAML2 [10]: extracting pushed attributes...
2017-08-25 18:36:05 DEBUG Shibboleth.AttributeExtractor.XML [10]: unable to extract attributes, unknown XML object type: samlp:Response
2017-08-25 18:36:05 DEBUG Shibboleth.AttributeDecoder.NameID [10]: decoding NameIDAttribute (persistent-id) from SAML 2 NameID with Format (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent)
2017-08-25 18:36:05 DEBUG Shibboleth.AttributeExtractor.XML [10]: unable to extract attributes, unknown XML object type: saml:AuthnStatement
2017-08-25 18:36:05 INFO Shibboleth.AttributeExtractor.XML [10]: skipping unmapped SAML 2.0 Attribute with Name: uid, Format:urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
2017-08-25 18:36:05 DEBUG Shibboleth.AttributeFilter [10]: filtering 1 attribute(s) from (https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php)
2017-08-25 18:36:05 DEBUG Shibboleth.AttributeFilter [10]: applying filtering rule(s) for attribute (persistent-id) from (https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php)
2017-08-25 18:36:05 DEBUG Shibboleth.SSO.SAML2 [10]: resolving attributes...
2017-08-25 18:36:05 DEBUG Shibboleth.AttributeResolver.Query [10]: found AttributeStatement in input to new session, skipping query
2017-08-25 18:36:05 DEBUG Shibboleth.SessionCache [10]: creating new session
2017-08-25 18:36:05 DEBUG Shibboleth.SessionCache [10]: storing new session...
2017-08-25 18:36:05 DEBUG XMLTooling.StorageService [10]: inserted record (session) in context (_f0ed232345d44bfeb42cd68b3cd634f8) with expiration (1503682565)
2017-08-25 18:36:05 DEBUG XMLTooling.StorageService [10]: updated record (owncloud) in context (NameID) with expiration (1503707765)
2017-08-25 18:36:05 DEBUG XMLTooling.StorageService [10]: inserted record (_aafe5216875f75821a5d51496a7005d22c154ddb9b) in context (_f0ed232345d44bfeb42cd68b3cd634f8) with expiration (1503682565)
2017-08-25 18:36:05 INFO Shibboleth.SessionCache [10]: new session created: ID (_f0ed232345d44bfeb42cd68b3cd634f8) IdP (https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (172.17.42.1)
2017-08-25 18:36:05 DEBUG XMLTooling.StorageService [10]: deleted record (97b03d5c3032687fb1ccf19551cc83cd249ecea7f49aa9cf496e48b815cde2ee) in context (RelayState)
2017-08-25 18:36:05 DEBUG Shibboleth.SSO.SAML2 [10]: ACS returning via redirect to: https://mdm.lmz.intranet/oc-shib/index.php
2017-08-25 18:36:05 DEBUG Shibboleth.Listener [9]: dispatching message (find::StorageService::SessionCache)
2017-08-25 18:36:05 DEBUG XMLTooling.StorageService [9]: updated expiration of valid records in context (_f0ed232345d44bfeb42cd68b3cd634f8) to (1503682565)
spaceone commented 7 years ago

If I add a PHP file which prints the environment variables I see:


  ["persistent-id"]=>
  string(110) "https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php!https://mdm.lmz.intranet/shibboleth!owncloud"

  ["REMOTE_USER"]=>
  string(110) "https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php!https://mdm.lmz.intranet/shibboleth!owncloud"

  ["PHP_AUTH_USER"]=>
  string(110) "https://ucs-sso.lmz.intranet/simplesamlphp/saml2/idp/metadata.php!https://mdm.lmz.intranet/shibboleth!owncloud"

The shibboleth configuration /etc/shibboleth/attribute-map.xml contains

    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
    </Attribute>

What does owncloud expect in the attribute? Only the username or also the NameQualifier and the SPNameQualifier?

spaceone commented 7 years ago

It works when I change the attribute-map configuration to:

    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$Name" defaultQualifiers="true"/>
    </Attribute>

That's stupid. I hope this gets documented. It costs multiple hours of debugging,