SAML IdP: Pass nested group memberships as attributes

openldap
saml
ucs-4-3

#1

Hi there,

I’d like to pass “nested” group memberships of users to SAML service providers as attributes in SAML responses.

Say user U is member of group G1, but not directly of group G2. G1 is member of G2.

The package “univention-ldap-overlay-memberof” only passes G1 in the memberOf attribute for U but the SP needs the indirect membership in G2 as well.

SimpleSAMLphp offers the processing filter ldap:AttributeAddUsersGroups which provides this functionality. Unfortunately this filter seems not to work in UCS, if I add it to the configuration and I get the following error:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /usr/share/simplesamlphp/www/module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: ldap:AttributeAddUsersGroups : Authsource [univention-ldap] specified in filter parameters is not an ldap:LDAP type
Backtrace:
9 /usr/share/simplesamlphp/modules/ldap/lib/Auth/Process/BaseFilter.php:130 (sspmod_ldap_Auth_Process_BaseFilter::__construct)
8 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php:154 (SimpleSAML_Auth_ProcessingChain::parseFilter)
7 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php:130 (SimpleSAML_Auth_ProcessingChain::parseFilterList)
6 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/ProcessingChain.php:58 (SimpleSAML_Auth_ProcessingChain::__construct)
5 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:325 (SimpleSAML_IdP::postAuth)
4 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Source.php:229 (SimpleSAML_Auth_Source::loginCompleted)
3 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/Source.php:145 (SimpleSAML_Auth_Source::completeAuth)
2 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:266 (sspmod_core_Auth_UserPassBase::handleLogin)
1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:67 (require)
0 /usr/share/simplesamlphp/www/module.php:137 (N/A)

Reason for that is the UCS LDAP authentication source uses the notation ‘uldap:uLDAP’ instead of the standard ‘ldap:LDAP’. This type is asserted in simplesamlphp/modules/ldap/lib/Auth/Process/BaseFilter.php. Removing the assertion in the source code fixes this issue but I don’t consider this a good idea.

Is there a way to use ‘ldap:AttributeAddUsersGroups’ without changing the SimpleSAMLphp source code or is there an other way to pass “nested” group memberships to the SP?

Best regards,
Greulich