mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-29 10:09:24 +01:00
8.9 KiB
8.9 KiB
Configure EGroupware for SSO via SAML with Univention
SAML IdP need to be enabled, see UCS Manual about login
ucs-sso.<domain>
need to resolve to one or more primary or secondary domain controllers- if you use LetsEncrypt, you should add the above domain to your certificate
- UCS config registry variable
portal/auth-mode
has to be set tosaml
- portal server needs to be restarted:
systemctl restart univention-portal-server.service
EGroupware needs to be configured for SAML via Setup (https://egw.example.org/egroupware/setup/
)
- Login into setup with user
admin
and the password from/var/lib/egroupware/egroupware-docker-install.log
- Go to [Edit current configuration]
If using SAML 2.0 / Shibboleth / SimpleSAMLphp: | |
Label to display as option on login page: or leave empty and select SAML as authentication type above for single sign on |
|
Identity Provider: You can specify multiple IdP on separate lines. |
<a href="https://ucs.example.org/simplesamlphp/saml2/idp/metadata.php" class="link">https://ucs.example.org/simplesamlphp/saml2/idp/metadata.php</a> |
Metadata: refresh daily weekly not automatic just now |
|
Certificate Metadata is signed with: (Will be downloaded once, unless changed.) | |
Result data to use as username: | eduPersonPrincipalName eduPersonUniqueId emailAddress uid custom OID |
Result data to add or remove extra membership: | eduPersonAffiliation custom OID |
Result values (comma-separated) and group-name to add or remove: | |
Allow SAML logins to join existing accounts: (Requires SAML optional on login page and user to specify username and password) |
No Replace username and email Replace username and keep email Use account description to store SAML username |
Match SAML usernames to existing ones (use strings or regular expression): | |
Some information for the own Service Provider metadata: | Metadata URL |
Name for Service Provider: | |
Technical contact: |
For Univention the Metadata-URL is also the ID of the IdP!
Configure EGroupware as service-provide in your UCS domain: Domain > LDAP directory > SAML service provider
- Add: Type: SAML service provider
X Service provider activation status
Service provider identifier: https://egw.example.org/egroupware/saml/module.php/saml/sp/metadata.php/default-sp
Respond to this service provider URL after login: https://egw.example.org/egroupware/saml/module.php/saml/sp/saml2-acs.php/default-sp
Single logout URL for this service provider: https://egw.example.org/egroupware/saml/module.php/saml/sp/saml2-logout.php/default-sp
Format of NameID attribute:
Name of the attribute that is used as NameID: uid
Name of the organization for this service provider: EGroupware
Description of this service provider:
X Enable signed Logouts
- After saving the above, you have to edit the
Extended Settings
of your new Service Provide
X Allow transfering LDAP attributes to the Service Provider
LDAP Attribute Name: uid
LDAP Attribute Name: mailPrimaryAddress
LDAP Attribute Name: givenName
LDAP Attribute Name: sn
- If you want an automatic SAML SingleSignOn, eg. by clicking on an EGroupware tile in the portal,
you need to switch in Setup > Site configuration
Authentication
toSAML
and remove theTest SSO
label from the beginning of the SAML configuration. - To be able to use a password login in the above case, you need to add the following to your DB:
INSERT INTO egw_config VALUES ('phpgwapi', 'univention_discovery', 'true');
Clear the cache and use the following URL: https://example.org/egroupware/login.php?auth=univention
- Some useful links
Configure EMail access without password
EGroupware normally use the session password to authenticate with the mail-server / Dovecot. If you use SSO (single sign on), EGroupware does not know your password and therefore can not pass it to the mail server.
- login via ssh as user root to your mailserver
- note the password from /etc/dovecot/master-users (secretpassword in the example below)
dovecotadmin:{PLAIN}secretpassword::::::
- add the following line to your /etc/dovecot/global-acls
echo "* user=dovecotadmin lra" >> /etc/dovecot/global-acls
doveadm reload
- login with a user that has EGroupware admin rights
- go to Administration, right-click on a user and select mail-account
- in IMAP tab fill in the credentials:
Admin user: dovecotadmin
Password: secretpassword
X Use admin credentials to connect without a session-password, e.g. for SSO
Currently, there are two bugs, you need to work around:
- EGroupware checks the above user/password as an IMAP user, so you need to additionally create him as UCS user with mail, in order to be able to store the dialog.
- The account you use for testing, must NOT have any additional personal mail accounts, as you get an error in that case, when you open the mail app.
- log out and in again with SSO and check everything works