Modern Authentication and Authorization (SAML, OIDC, Oauth..)

phiku · March 27, 2019, 9:17am

Hex Univention,

I really love your UCS Server but I miss some things in your Single-Sign-on approach.

#1 SAML has missing the part of SimpleSAML ldap:AttributeAddUsersGroups to list users Groupmemberships in the claim for authorization at the RP.

#2 Your OpenIDConnector misses the possiblity to login with kerberos-SSO like SAML-Plugin does at UCS.

#3 Where can I managed authorization Attributes at the OIDC-Connector in LDAP?

#4 Please build more SSO-Connectors like Oauth2.

kind regards phiku

fbartels · March 27, 2019, 9:30am

OpenID Connect is an extension on top of Oauth2, so if you have an app that supports login with Oauth2 you can already use the OpenID Provider for that.

phiku · March 27, 2019, 12:32pm

Yes, of course you’re absolutly right. OIDC is an extension of OAuth2 but I need a Version2 Metadata at the well-know site like this “https://FQDN/konnect/v2/token” an so on.

fbartels · March 27, 2019, 4:37pm

That v1 specifies the version of the Konnect api, rather than the version of Oauth.

Its probably easier if you specify the rfc that you need to be supported or specify the application you want to login to.

phiku · March 28, 2019, 10:10am

I would like to login in a OIDC client written for IBM wehsphere and so the path is pre-filled like this:
https://server.example.com:443/oidc/endpoint/<provider_name>/
So it is not possible to fill in https://server.example.com/konnect/v1/…

Well, I think It’s a more a problem of this special Client an not your OIDC Provider.

But another question is: How can I pass LDAP-attributes like memberOf to the OIDC RP from your Provider?

Thanks for Help

fbartels · March 28, 2019, 11:25am

I have created https://jira.kopano.io/browse/KK-2 to follow this up. For us this is no priority though, but outside contributions are welcome! (for example through Github at GitHub - Kopano-dev/konnect: Kopano Konnect implements an OpenID provider (OP) with integrated web login and consent forms.)

Theoretically speaking. shouldn’t it be enough to add some more local proxies to your webserver, so that it internally redirects oidc/endpoint/provider_name/ to konnect/v1/ ?

This was your #3 in the initial post, correct? At the moment this is not possible. You can see the available values for example in https://github.com/Kopano-dev/konnect/blob/master/cmd/konnectd/bootstrap_ldap.go#L53 and konnect/README.md at master · Kopano-dev/konnect · GitHub

phiku · March 28, 2019, 2:54pm

Using a reverse proxy for chaning the path is a good idea. I 'll look into this.

Thank you very much for open a topic at jira and github. It helped me a lot to understand the problem.

kind regrds, phiku