|
|
| Line 11: |
Line 11: |
| https://<Hostname>/univention/saml | | https://<Hostname>/univention/saml |
|
| |
|
| == Configuration ==
| |
|
| |
|
| === Setting FQDNs === | | == Migration OX App Suite SSO to Keycloak == |
|
| |
|
| The following three variables have to be set according to the environment. Multiple or all variables can contain the same FQDN. | | The previously provided configuration information is outdated. Please follow the steps outlined in the migration guide available at: https://help.univention.com/t/howto-migrate-ox-sso-to-keycloak/24053/1 |
| | |
| # FQDN for accessing the SSO - can be found in UCR: ucr get ucs/server/sso/fqdn
| |
| SSO_FQDN=ucs-sso.domain.name
| |
|
| |
| # FQDN for accessing the portal
| |
| PORTAL_FQDN=portal.domain.name
| |
|
| |
| # FQDN for accessing OX
| |
| MAIL_FQDN=mail.domain.name
| |
| | |
| === Adjusting the provisioning ===
| |
| | |
| The UCS users are provisioned in OX via CLI interfaces and then written to a MySQL database. The database has a <code>imapLogin</code> field that is used by OX to log in to the user's inbox. As default it is set to the user's mail address. If SSO is to be used, it has to be appended with an asterisk and the mail server's master user. For Dovecot this would be <code>*dovecotadmin</code> and looks as follows:
| |
| | |
| meinuser@maildomain.de*dovecotadmin
| |
| | |
| The following two commands have to be executed to let the users be provisioned respectively by the listener:
| |
| | |
| ucr set ox/listener/imaplogin_value='{}*dovecotadmin'
| |
| service univention-directory-listener restart
| |
| | |
| ==== Adjusting existing users ====
| |
| | |
| For already existing users, the imapLogin field has to be adjusted. See: [https://help.univention.com/t/how-to-change-the-ox-attribute-imaplogin-for-existing-users/14455 How To: Change the OX attribute imaplogin for existing users]
| |
| | |
| === Installing packages ===
| |
| | |
| univention-app install openid-connect-provider
| |
| | |
| univention-install open-xchange-oidc-ucs open-xchange-authentication-ucs open-xchange-authentication-ucs-common open-xchange-oidc-ucs
| |
| | |
| === Getting UCR variables into the shell ===
| |
| | |
| As we will need UCR variables for the following steps, we'll get them as shell variables:
| |
| | |
| eval "$(ucr shell)"
| |
| | |
| === Verify IdP Metadata is available ===
| |
| | |
| The IdP Metadata is reachable via https://ucs-sso.domain.name/.well-known/openid-configuration
| |
| | |
| === Configure default Signing method for IdP ===
| |
| | |
| As OX does not support the default singing method, it must be changed to a supported value
| |
| | |
| univention-app configure openid-connect-provider --set oidc/konnectd/signing_method=RS256
| |
| | |
| === Add OX as an RP to the IdP ===
| |
| | |
| client_id=openxchange
| |
| client_secret=averylongsecret
| |
| FQDN=ox-server-fqdn
| |
| redirectURI=https://$FQDN/appsuite/api/oidc/auth
| |
| udm oidc/rpservice create --set name=openxchange --position cn=oidc,cn=univention,$(ucr get ldap/base) --set clientid=$client_id --set clientsecret=$client_secret --set trusted=yes --set applicationtype=web --set redirectURI=https://$FQDN/appsuite/api/oidc/auth
| |
| | |
| === Basic configuration in UCR ===
| |
| | |
| We change some configuration parameters so that OX uses SSO. Furthermore we use a master password for Dovecot to enable OX to open the user's inbox without the user's password. *Attention*: If the master password will be changed in the future, it has to be changed in <code>/etc/dovecot/master-users</code> as well as in <code>/etc/dovecot-master.secret</code>.
| |
| | |
| p="$(cat /etc/dovecot/master-users | sed -e 's|.*{PLAIN}||;s|:.*||')"
| |
|
| |
| echo -n "$p" > /etc/dovecot-master.secret
| |
| chmod 600 /etc/dovecot-master.secret
| |
|
| |
| ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" \
| |
| ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@"
| |
|
| |
| ucr set ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' \
| |
| ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' \
| |
| ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' \
| |
| ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' \
| |
| ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'
| |
| | |
| === Configuration files for OIDC ===
| |
| | |
| Besides the UCR configuration parameters, we also have to set up two configuration files. Those will contain the FQDNs of SSO, Portal and OX itself in various locations.
| |
| | |
| cat <<__EOT_asconfig__ > /opt/open-xchange/etc/as-config.yml
| |
| # Override certain settings
| |
| default:
| |
| host: all
| |
| samlLogin: false
| |
| oidcLogin: true
| |
| oidcPath: /oidc
| |
|
| |
| # Override certain settings for certain hosts
| |
| #myhost:
| |
| # host: myexchange.myhost.mytld
| |
| # someConfig: some overriding value
| |
| __EOT_asconfig__
| |
| | |
| Create properties file
| |
| touch /opt/open-xchange/etc/openid.properties
| |
| | |
| Configure openid on OX
| |
|
| |
| Issuer="https://${SSO_FQDN}"
| |
| userInfoEndpoint="${Issuer}/konnect/v1/userinfo"
| |
| authEndpoint="${Issuer}/signin/v1/identifier/_/authorize"
| |
| tokenEndpoint="${Issuer}/konnect/v1/token"
| |
| jwkSetEndpoint="${Issuer}/konnect/v1/jwks.json"
| |
| | |
| ucr set set ox/cfg/authplugin.properties/com.openexchange.authentication.ucs.searchFilter='(&(objectClass=oxUserObject)(|(uid=%s)(mailPrimaryAddress=%s)))' \
| |
| ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin=false \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.enabled=true \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.ucs.enabled=true \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.startDefaultBackend=false \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.clientId="$client_id" \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.clientSecret="$client_secret" \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.opIssuer="$Issuer" \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.ucs.userInfoEndpoint="$userInfoEndpoint" \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.opAuthorizationEndpoint="$authEndpoint" \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.opTokenEndpoint="$tokenEndpoint" \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.opJwkSetEndpoint="$jwkSetEndpoint" \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.jwsAlgorithm=RS256 \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.scope="email;openid;profile;offline_access" \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.userLookupClaim=email \
| |
| ox/cfg/openid.properties/com.openexchange.oidc.rpRedirectURIAuth="$redirectURI"
| |
| | |
| === Adjusting the Dovecot configuration ===
| |
| | |
| Dovecot only allows the access with a master user by OX if the following file has been created:
| |
| | |
| cat <<_EOT_ACL_ >>/etc/dovecot/conf.d/91-acl_user.conf
| |
| plugin {
| |
| acl_user = %u
| |
| }
| |
| _EOT_ACL_
| |
| | |
| === Re-starting services ===
| |
| | |
| Dovecot and OX have to be re-started now. The commands shouldn't run long; the OX re-start in the background though can take some time, depending on the system.
| |
| | |
| /etc/init.d/dovecot restart
| |
| service open-xchange restart
| |