Modern Authentication and Authorization (SAML, OIDC, Oauth..)

UCS - Univention Corporate Server
#1

Hex Univention,

I really love your UCS Server but I miss some things in your Single-Sign-on approach.

#1 SAML has missing the part of SimpleSAML ldap:AttributeAddUsersGroups to list users Groupmemberships in the claim for authorization at the RP.

#2 Your OpenIDConnector misses the possiblity to login with kerberos-SSO like SAML-Plugin does at UCS.

#3 Where can I managed authorization Attributes at the OIDC-Connector in LDAP?

#4 Please build more SSO-Connectors like Oauth2.

kind regards phiku

1 Like
#2

OpenID Connect is an extension on top of Oauth2, so if you have an app that supports login with Oauth2 you can already use the OpenID Provider for that.

#3

Yes, of course you’re absolutly right. OIDC is an extension of OAuth2 but I need a Version2 Metadata at the well-know site like this “https://FQDN/konnect/v2/token” an so on.

#4

That v1 specifies the version of the Konnect api, rather than the version of Oauth.

Its probably easier if you specify the rfc that you need to be supported or specify the application you want to login to.

#5

I would like to login in a OIDC client written for IBM wehsphere and so the path is pre-filled like this:
https://server.example.com:443/oidc/endpoint/<provider_name>/
So it is not possible to fill in https://server.example.com/konnect/v1/…

Well, I think It’s a more a problem of this special Client an not your OIDC Provider.

But another question is: How can I pass LDAP-attributes like memberOf to the OIDC RP from your Provider?

Thanks for Help

#6

I have created https://jira.kopano.io/browse/KK-2 to follow this up. For us this is no priority though, but outside contributions are welcome! (for example through Github at https://github.com/Kopano-dev/konnect)

Theoretically speaking. shouldn’t it be enough to add some more local proxies to your webserver, so that it internally redirects oidc/endpoint/provider_name/ to konnect/v1/ ?

This was your #3 in the initial post, correct? At the moment this is not possible. You can see the available values for example in https://github.com/Kopano-dev/konnect/blob/master/cmd/konnectd/bootstrap_ldap.go#L53 and https://github.com/Kopano-dev/konnect/blob/master/README.md#ldap-backend

Discourse forum SSO with UCS
#7

Using a reverse proxy for chaning the path is a good idea. I 'll look into this.

Thank you very much for open a topic at jira and github. It helped me a lot to understand the problem.

kind regrds, phiku

Mastodon