Thanks a lot for the response. I just tried the version you had mentioned. But I am still getting the error 404 when I visit /.well-known/openid-configuration/ and the docker container status is unhealthy.
790ab149e731 docker.software-univention.de/openid-connect-provider:0.7 "docker-entrypoint..." 2 minutes ago Up About a minute (unhealthy)
You had the development version installed, so it may well be that there are remains from additional features planned in the next release, e.g. modified apache2 configs, cleanup may not be thorough when uninstalling the development version.
Maybe something already installed or configured on your system or a setting in your cloud environment is causing the problem. I guess the other apps installed on your system are from the test app center as well?
I just installed the app on a testsystem and can get the metadata via browser or by executing either
curl -k http://localhost/.well-known/openid-configuration
curl -k https://localhost/.well-known/openid-configuration
Thanks a lot. Surprisingly I am getting response when I do curl http://localhost/.well-known/openid-configuration but I get 404 when I do https://samplesite.northeurope.cloudapp.azure.com/.well-known/openid-configuration/. Can you please help me figure out the reason? Thanks in advance.
Note: Yes, we are using test app center as we our applications are still in testing phase.
Finally I was able to get it working. Restarting the web service after installing the 0.7-beta version fixed the issue it seems.
univention-app install openid-connect-provider=0.7-beta
systemctl restart apache2
@damrose Thanks for your help, now I am facing a different issue. When the get call of .well-known/openid-configuration returns the issuer and other details with something like https://ucs-8280.test.intranet and I want to change it to my actual VM DNS something like https://mysite-dev.northeurope.cloudapp.azure.com/, so that I will be able to implement the implicit login. How can I change this? Thanks in advance.
in your screenshot it says “healthy”.
Now it is again showing unhealthy, but the application works fine. All I want now is to do the changes as I mentioned in the previous message.
@fbartels @damrose Is there anyway to change this https://ucs-8280.test.intranet to https://mysite-dev.northeurope.cloudapp.azure.com, because of this I am getting an error when I try implement the implicit login.
But after manually changing the URL to my DNS name I am able to load the implicit login page.
Any help is really appreciated.
at the moment the startup command in the app is hardcoded to ARGS=--iss=https://@%@hostname@%@.@%@domainname@%@ --identifier-registration-conf /etc/kopano/identifier-registration.yaml --identifier-client-path ./identifier-univention --log-level debug ldap
I don’t think the app offers a possibility to change this at the moment.
Thanks for your response. What I am trying to achieve is, from my localhost I am getting values from the .well-known/openid-configuration and using those values I am performing SignIn. So are you saying that the Open Id Connect Provider application can not be used for this purpose?
No, what I am saying is that for OpenID Connect to work your Provider needs to know his FQDN. On the ucs system this is assumed to be @%@hostname@%@.@%@domainname@%@ (so a combination of the hostname and the configured domain name). When the actual external fqdn is different from the internal one this will break.
A solution would be to a:
Thanks for the response. As I am not that proficient enough about UCS, I have no idea how to achieve this. Can you please help me understand how to do this?
the first thing would be something that needs improvement in the app. for the second I am also not deep enough into ucs, but a search on this forum seems to bring up that changing the domain is not trivial and therefore not recommended (I found Changing HOSTNAME on UCS).
FYI, there is a feature request to make this configurable with the next app update. I have no quick workaround right now. Maybe changing/overwriting the --iss setting in the containers docker-entrypoint.sh script will work.
@fbartels @damrose Thanks a lot for your responses. Do you have any idea how can change the iis settings of the docker container 93473e77b5c1 docker.software-univention.de/openid-connect-provider:0.7
@fbartels @damrose Thanks a lot for all of your helps. I understand using the Open Id Connect is not a good idea to use for now, with my requirement. How about using the Http auth API? As I mentioned in my actual (first) post in this thread, this API is just returning very limited information as below.
{"status": 200, "result": {"username": "Administrator"}, "message": null, "options": null}
How can I get the authentication details with tokens using this API?
The UMC API is build just for that usecase: Authenticating users against the UCS identity management to interact with the UCS-UMC-UDM backend. The token you get will be valid to authenticate against the UMC webserver for further operations. You can of course use it to authenticate users that log into your application, but an LDAP bind would be more efficient in my opinion.
In your first post you mentioned using SSO - the umc http api is not designed to manage SSO sessions, and uses no standard protocol to do so.
As was pointed out in this thread already, SSO on UCS can be achieved with Openid Connect or SAML.
Thanks for your response. Achieving SSO is not possible in my case because of it is not possible with external domain. Do we have any document which explains how to achieve this using SAML?
Please check the following article, I think it describes how to setup your scenario: https://help.univention.com/t//6681
I just see that the issue with the Open ID is been fixed here. Does it mean that I will be able to share the token I get from UCS with Nextcloud and Rocket chat, will the token be valid for my applications I use in UCS?