|
|
| (5 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| | |
| | <div style="overflow: auto;"><div style="border-width:3px; border-style:solid; padding:5px; margin:1em; margin-left:5em; margin-right:5em;">[https://oxpedia.org/wiki/index.php?title=AppSuite:UCS_OIDC_SSO_with_OX_App_Suite Corporate Server OIDC-SSO Configuration with OX App Suite]</div></div> |
| | |
| = Univention Corporate Server SAML-SSO Configuration with OX App Suite = | | = Univention Corporate Server SAML-SSO Configuration with OX App Suite = |
|
| |
|
| Line 7: |
Line 10: |
| https://<Hostname>/univention/saml | | https://<Hostname>/univention/saml |
|
| |
|
| == Configuration == | | == Migration OX App Suite SSO to Keycloak == |
| | |
| === Setting FQDNs ===
| |
| | |
| The following three variables have to be set according to the environment. Multiple or all variables can contain the same FQDN.
| |
| | |
| # FQDN for accessing the SSO - can be found in UCR: ucr get ucs/server/sso/fqdn
| |
| SSO_FQDN=ucs-sso.domain.name
| |
|
| |
| # FQDN for accessing the portal
| |
| PORTAL_FQDN=portal.domain.name
| |
|
| |
| # FQDN for accessing OX
| |
| MAIL_FQDN=mail.domain.name
| |
| | |
| === Adjusting the provisioning ===
| |
| | |
| The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a <code>imapLogin</code> field that is used by OX to log in to the user's inbox. As default it is set to the user's mail address. If SSO is to be used, it has to be appended with an asterisk and the mail server's master user. For Dovecot this would be <code>*dovecotadmin</code> and looks as follows:
| |
| | |
| meinuser@maildomain.de*dovecotadmin
| |
| | |
| The following two commands have to be executed to let the users be provisioned respectively by the listener:
| |
| | |
| ucr set ox/listener/imaplogin_value='{}*dovecotadmin'
| |
| service univention-directory-listener crestart
| |
| | |
| ==== Adjusting existing users ====
| |
| | |
| For already existing users, the imapLogin field has to be adjusted. See: [https://help.univention.com/t/how-to-change-the-ox-attribute-imaplogin-for-existing-users/14455 How To: Change the OX attribute imaplogin for existing users]
| |
| | |
| === Installing packages ===
| |
| | |
| univention-install open-xchange-saml-ucs open-xchange-saml
| |
| | |
| === Getting UCR variables into the shell ===
| |
| | |
| As we will need UCR variables for the following steps, we'll get them as shell variables:
| |
| | |
| eval "$(ucr shell)"
| |
| | |
| === Importing the SAML IdPs certificate into the Java Keystore ===
| |
| | |
| For OX to be able to validate the certificate that is used for signing the SAML Assertions, it has to be imported into the Java Keystore.
| |
| | |
| openssl pkcs12 -export -in /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.crt -inkey /etc/simplesamlphp/${SSO_FQDN}-idp-certificate.key -chain -CAfile /etc/univention/ssl/ucsCA/CAcert.pem -name "${SSO_FQDN}" -out ${SSO_FQDN}.p12 -password pass:changeit
| |
|
| |
| keytool -importkeystore -deststorepass changeit -destkeystore my-keystore.jks -srckeystore ${SSO_FQDN}.p12 -srcstoretype PKCS12 -srcstorepass changeit
| |
|
| |
| keytool -export -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore my-keystore.jks -deststorepass changeit
| |
|
| |
| keytool -import -alias ${SSO_FQDN} -file ${SSO_FQDN}.cer -keystore /etc/ssl/certs/java/cacerts -deststorepass changeit
| |
| | |
| === Basic configuration in UCR ===
| |
| | |
| We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in <code>/etc/dovecot/master-users</code> as well as in <code>/etc/dovecot-master.secret</code>.
| |
| | |
| p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')"
| |
|
| |
| echo -n "$p" > /etc/dovecot-master.secret
| |
| chmod 600 /etc/dovecot-master.secret
| |
|
| |
| ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" \
| |
| ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@"
| |
|
| |
| ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' \
| |
| ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' \
| |
| ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' \
| |
| ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \
| |
| ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'
| |
| | |
| === Configuration files for SAML IdP ===
| |
| | |
| Besides the UCR configuration parameters, we also have to set up two configuration files. Those will contain the FQDNs of SSO, Portal and OX itself in various locations.
| |
| | |
| cat <<__EOT_asconfig__ > /opt/open-xchange/etc/as-config.yml
| |
| # Override certain settings
| |
| default:
| |
| host: all
| |
| samlLogin: true
| |
| logoutLocation: 'https://${SSO_FQDN}/simplesamlphp/saml2/idp/initSLO.php?RelayState=/simplesamlphp/logout.php'
| |
|
| |
| # Override certain settings for certain hosts
| |
| #myhost:
| |
| # host: myexchange.myhost.mytld
| |
| # someConfig: some overriding value
| |
| __EOT_asconfig__
| |
| | |
| Regarding the configuration of SAML UCS properties, please refer to: https://documentation.open-xchange.com/components/middleware/config/7.10.1/#mode=search&term=open-xchange-saml-ucs
| |
| | |
| The <code>saml.properties</code> file can be edited using UCR variables:
| |
| | |
| ucr set \
| |
| ox/cfg/saml.properties/com.openexchange.saml.ucs.enabled=true \
| |
| ox/cfg/saml.properties/com.openexchange.saml.ucs.id=uid \
| |
| ox/cfg/saml.properties/com.openexchange.saml.ucs.logoutRedirectUrl=https://${PORTAL_FQDN}/univention/portal/ \
| |
| ox/cfg/saml.properties/com.openexchange.saml.ucs.keyStore=/etc/ssl/certs/java/cacerts \
| |
| ox/cfg/saml.properties/com.openexchange.saml.ucs.keyStorePass=changeit \
| |
| ox/cfg/saml.properties/com.openexchange.saml.ucs.certAlias = ${SSO_FQDN} \
| |
| ox/cfg/saml.properties/com.openexchange.saml.enabled=true \
| |
| ox/cfg/saml.properties/com.openexchange.saml.enableMetadataService=true \
| |
| ox/cfg/saml.properties/com.openexchange.saml.enableSingleLogout=true \
| |
| ox/cfg/saml.properties/com.openexchange.saml.entityID=https://${MAIL_FQDN}/appsuite/ \
| |
| ox/cfg/saml.properties/com.openexchange.saml.providerName="Open-Xchange Service Provider" \
| |
| ox/cfg/saml.properties/com.openexchange.saml.acsURL=https://${MAIL_FQDN}/appsuite/api/saml/acs \
| |
| ox/cfg/saml.properties/com.openexchange.saml.slsURL=https://${MAIL_FQDN}/appsuite/api/saml/sls \
| |
| ox/cfg/saml.properties/com.openexchange.saml.logoutResponseBinding=http-redirect \
| |
| ox/cfg/saml.properties/com.openexchange.saml.logoutResponseTemplate=saml.logout.response.html.tmpl
| |
| ox/cfg/saml.properties/com.openexchange.saml.idpEntityID=https://${SSO_FQDN}/simplesamlphp/saml2/idp/metadata.php \
| |
| ox/cfg/saml.properties/com.openexchange.saml.idpAuthnURL=https://${SSO_FQDN}/simplesamlphp/saml2/idp/SSOService.php \
| |
| ox/cfg/saml.properties/com.openexchange.saml.idpLogoutURL=https://${SSO_FQDN}/simplesamlphp/saml2/idp/SingleLogoutService.php \
| |
| ox/cfg/saml.properties/com.openexchange.saml.enableAutoLogin=false \
| |
| ox/cfg/saml.properties ox/cfg/saml.properties/com.openexchange.saml.allowUnsolicitedResponses=true
| |
| | |
| === Adjusting the Dovecot configuration ===
| |
| | |
| Dovecot only allows the access with a master user by OX if the following file has been created:
| |
| | |
| cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/91-acl_user.conf
| |
| plugin {
| |
| acl_user = %u
| |
| }
| |
| _EOT_ACL_
| |
| | |
| === Re-starting services ===
| |
| | |
| Dovecot and OX have to be re-started now. The commands shouldn't run long; the OX re-start in the background though can take some time, depending on the system.
| |
| | |
| /etc/init.d/dovecot restart
| |
|
| |
| /etc/init.d/open-xchange restart
| |
| | |
| === Creating service provider in UCS ===
| |
| | |
| To make OX Service Provider known by the UCS Identity Provider, we'll add it via UDM:
| |
| | |
| udm saml/serviceprovider create \
| |
| --ignore_exists \
| |
| --position "cn=saml-serviceprovider,cn=univention,$ldap_base" \
| |
| --set Identifier="https://${MAIL_FQDN}/appsuite/" \
| |
| --set AssertionConsumerService="https://${MAIL_FQDN}/appsuite/api/saml/acs" \
| |
| --set singleLogoutService="https://${MAIL_FQDN}/appsuite/api/saml/sls" \
| |
| --set LDAPattributes="mailPrimaryAddress" \
| |
| --set LDAPattributes="uid" \
| |
| --set NameIDFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" \
| |
| --set attributesNameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" \
| |
| --set isActivated="TRUE" \
| |
| --set serviceProviderOrganizationName="Open-Xchange Service Provider" \
| |
| --set simplesamlAttributes="TRUE" \
| |
| --set simplesamlNameIDAttribute="uid" \
| |
| --set signLogouts="TRUE"
| |
| | |
| Single users or groups can now get permissions for this service provider. To e.g. grant access to all users, the Domain Users group can get permission for the service provider. This does not work for UCS@school environments. For those, the respective <code>Domain Users <School></code> groups have to get separate permissions.
| |
|
| |
|
| udm groups/group modify \
| | The previously provided configuration information is outdated. Please follow the steps outlined in the migration guide available at: https://help.univention.com/t/howto-migrate-ox-sso-to-keycloak/24053/1 |
| --dn "cn=Domain Users,cn=groups,${ldap_base}" \
| |
| --append serviceprovidergroup=SAMLServiceProviderIdentifier=https://${MAIL_FQDN}/appsuite/,cn=saml-serviceprovider,cn=univention,${ldap_base}
| |