How to SSO with logindata that is not in UCS (so far)
Environment
You want to connect to a system that uses login names not previously available in UCS.
Please verify these steps in a test environment before proceeding in production.
Our SAML implementation is the standard SAML V2 implementation. The complete original specification you can find here.
Note! Please adapt the naming to your environment.
Necessary steps
Step 1: Set variables
root@ucs:~# eval "$(univention-config-registry shell)"
Step 2: Create the attribute
root@ucs:~# udm settings/extended_attribute create \
--position="cn=custom attributes,cn=univention,$ldap_base" \
--set name=extSystemLogin \
--set module=users/user \
--set tabName="externalSystemLogin" \
--set tabPosition=2 \
--set ldapMapping="univentionFreeAttribute8" \
--set objectClass="univentionFreeAttributes" \
--set longDescription="Login data for my external system" \
--set shortDescription="external login data" \
--set CLIName=MySPLogin \
--set mayChange=1
Step 3: Create the SP Connection
Note! Please read the documentaion of your service vendor for maybe necessary system specific adaptations.
root@ucs:~# udm saml/serviceprovider create --position cn=saml-serviceprovider,cn=univention,dc=reiherwald,dc=intranet \
--set AssertionConsumerService='https:myservice.intranet/login' \
--set Identifier='https://saml.myservice.intranet' \
--set NameIDFormat='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified' \
--set attributesNameFormat='None' \
--set isActivated='TRUE' \
--set privacypolicyURL='https://trust.myservice.intranet/privacy/' \
--set rawsimplesamlSPconfig='None' \
--set serviceProviderMetadata='None' \
--set serviceProviderOrganizationName='MyService' \
--set serviceproviderdescription='None' \
--set signLogouts='TRUE' \
--set simplesamlAttributes='FALSE' \
--set simplesamlNameIDAttribute='univentionFreeAttribute8' \
--set singleLogoutService='None'
Step 4: Append the new attribute as additional getAttribute of the IDP
root@ucs:~# udm saml/idpconfig modify --dn id=default-saml-idp,cn=univention,dc=reiherwald,dc=intranet --append LdapGetAttributes='univentionFreeAttribute8'
Step 5: Filling the attribute
To append this information to your users you need a csv with the username in UCS and the login name in the external system. It should look like this (please take care the header is matching the CLIName given in Step 2):
username;MySPLogin
user1;extLoginUser1
user2;extLoginUser2
user3;extLoginUser3
You can then use this tool
root@ucs:~# wget https://github.com/univention/udm_import/archive/master.zip
root@ucs:~# unzip master.zip
root@ucs:~# udm_import-master/udm_import users/user modify MyCSV.csv