Implement SAML SSO in RocketChat Univention UCS Server

saml
rocketchat
ucs
sso

#1

I am working with Univention UCS server and I had installed univention RocketChat app . Everything was quite good until I had planned to use the SAML Single Sign On with UCS as I had already done for the Nextcloud by following this article. I understand that there is related General SAML documentation available here. But that doesn’t help well for me as in Univention UCS server the things are different, so I am looking for a documentation which explains how to do this as it is here for nextcloud.

I also see that the entry of SingleSignOnService is missing in my {FQDN}/univention/saml/metadata, but there is an entry for SingleLogoutService. A per the rocket chat documentation they are asking us to use SingleSignOnService entry as the custom entry point. As I am missing this entry in my univention/saml/metadata I guess this is a problem with the UCS SSO configuration.

2019-05-29_15-41-48

2019-05-29_15-42-25

I am seeing the SingleSignOnService in the
https://{FQDN}/simplesamlphp/saml2/idp/metadata.php but not in the https://{FQDN}/univention/saml/metadata

Can you please say me how do we configure the SSO in UCS. I followed this article, is this the right one?

Server Setup Information:

  • Version of Rocket.Chat Server: 1.0.2
  • Operating System: Linux, UCS (4.4-0 errata0 (Blumenthal))
  • Number of Running Instances: 1
  • NodeJS Version: v8.11.4
  • MongoDB Version: 3.6.12

#2

You are throwing together several different services. UCS is offering SAML identity provider services using simplesamlphp, which is connected to our identity management. You want your services to authenticate against that IdP; Please refer to our documentation on how to add new services to the UCS IdP.

What can be found at https://{FQDN}/univention/saml/metadata is the metadata from our management console, which acts as a SAML service provider.


#3

Thanks for your response, I had done the SSO with UCS and Nextcloud, that is, when I go to /nextcloud I will have a UCS login page and once after login there, I am actually logged in to both UCS and Nextcloud. Now I just need to make sure that I am logged in to RocketChat as well as part of this implementation, I am not sure how to do that. With the Nextcloud it was easy as it was well documented here. How can I do it with RocketChat?


#4

I do not know of any nice blog article describing the rocketchat SAML setup like the nextcloud article you mentioned.

The rocketchat simplesamlphp setup guide you linked above looks like a very good starting point. But it seems like they expect some attribute names to be mapped from their LDAP schema name to rocketchat specific ones (e.g. mailPrimaryAddress -> email). So one would have to manually create the rocketchat service config php and register it as we do it in our office365 connector.


#5

I was just told the latest rocket chat app on UCS ships with some kind of SAML config already available. I can not say what has to be done to enable it and adapt it to your requirements, I did not have a look at it.


#6

Yes, it creates a SAML configuration, but it is getting created with internal ucs-sso domain, as I am using an External DNS I had to configure my external SSO and create a new SAML provider with external DNS.