Discourse forum SSO with UCS

UCS - Univention Corporate Server
, , , , ,
#1

I am trying to configure a Discourse forum to use UCS for SSO. There are Discourse plugins for LDAP, SAML and OpenID-Connect.

First I tried LDAP, but the Discourse plugin does not support synchronization of group membership.

Therefore I configured SAML, which supports memberOf on the Discourse side. For the UCS side I added memberOf to saml/idp/ldap/get_attributes and as additional LDAP attribute of the identity provider. It shows up in /etc/simplesamlphp/metadata.d/https\:__forum....., but not in <saml:AttributeStatement> which is written to /var/log/syslog after ucr set saml/idp/log/debug/enabled=true and ucr set saml/idp/log/level=DEBUG.

I found this thread which seems to solve a similar problem, but don’t understand how to apply this to my problem: UCS als SAML Identity Provider für AWS IAM

I did not try OpenID-Connect yet, but according to Modern Authentication and Authorization (SAML, OIDC, Oauth..) memberOf is not possible. Is this still true?

Thanks for your help!

#2

Hi @Andreas_T,

As this has not been relevant in customer projects this has not been changed so far.

#3

It seems like memberOf shows up in <saml:AttributeStatement>, contrary to my previous statement. I did not figure out what was wrong when I tried it first.

There was another problem to solve: the Discourse SAML plugin needs the pure groupnames, without distinguished names. I modified it a bit here: https://github.com/ateuber/discourse-saml/tree/ucs. I will add an environment variable for UCS and do a pull request later.

#4

@fbartels has it changed meanwhile and can we get the memberOf LDAP property with OpenID-Connect?

Thank you

Mastodon