How-to: SSO with logindata that is not in UCS (so far)

How to SSO with logindata that is not in UCS (so far)


You want to connect to a system that uses login names not previously available in UCS.
Please verify these steps in a test environment before proceeding in production.
Our SAML implementation is the standard SAML V2 implementation. The complete original specification you can find here.

Note! Please adapt the naming to your environment.

Necessary steps

Step 1: Set variables

root@ucs:~# eval "$(univention-config-registry shell)"

Step 2: Create the attribute

root@ucs:~# udm settings/extended_attribute create \
   --position="cn=custom attributes,cn=univention,$ldap_base" \
   --set name=extSystemLogin \
   --set module=users/user \
   --set tabName="externalSystemLogin" \
   --set tabPosition=2 \
   --set ldapMapping="univentionFreeAttribute8" \
   --set objectClass="univentionFreeAttributes" \
   --set longDescription="Login data for my external system" \
   --set shortDescription="external login data" \
   --set CLIName=MySPLogin \
   --set mayChange=1

Step 3: Create the SP Connection

Note! Please read the documentaion of your service vendor for maybe necessary system specific adaptations.

root@ucs:~# udm saml/serviceprovider create --position cn=saml-serviceprovider,cn=univention,dc=reiherwald,dc=intranet \
 --set AssertionConsumerService='https:myservice.intranet/login' \
 --set Identifier='https://saml.myservice.intranet' \
 --set NameIDFormat='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' \
 --set attributesNameFormat='None' \
 --set isActivated='TRUE' \
 --set privacypolicyURL='https://trust.myservice.intranet/privacy/' \
 --set rawsimplesamlSPconfig='None' \
 --set serviceProviderMetadata='None' \
 --set serviceProviderOrganizationName='MyService' \
 --set serviceproviderdescription='None' \
 --set signLogouts='TRUE' \
 --set simplesamlAttributes='FALSE' \
 --set simplesamlNameIDAttribute='univentionFreeAttribute8' \
 --set singleLogoutService='None' 

Step 4: Append the new attribute as additional getAttribute of the IDP

root@ucs:~# udm saml/idpconfig modify --dn id=default-saml-idp,cn=univention,dc=reiherwald,dc=intranet --append LdapGetAttributes='univentionFreeAttribute8'

Step 5: Filling the attribute

To append this information to your users you need a csv with the username in UCS and the login name in the external system. It should look like this (please take care the header is matching the CLIName given in Step 2):


You can then use this tool

root@ucs:~# wget
root@ucs:~# unzip
root@ucs:~# udm_import-master/udm_import users/user modify MyCSV.csv

This topic was automatically closed after 24 hours. New replies are no longer allowed.