UCS SAML: Additional data from LDAP

saml

#1

Hello,

I am currently trying to integrate some application with the SAML IdP from UCS. It is working perfectly for login e.g. for Jenkins.
My question is: It would be perfect to supply additional information in the SAML response to the application. Jenkins is able to retrieve email, displayName and groups from the SAML response. Simplesamlphp supports this, too (see https://simplesamlphp.org/docs/stable/ldap:ldap). Is it possible to integrate this functionality into UCS?

Thanks, Sven


#2

Hello,

it is possible to transmit additional user attributes to the service provider, please have a look at the documentation. I will outline the required steps here. First, the SAML IdP has to be allowed to read these attributes from LDAP by adding them to the UCR variable saml/idp/ldap/get_attributes. Then, the attributes have to be added to the List of LDAP attributes to transmit in the UMC service provider definition


#3

Hello damrose,

thanks for the information, my blindness simple did not let me see the advanced options. For user attributes this works perfectly! But I don’t see a possibility to supply group information. Since the UCS LDAP model does not have a memberOf relation, it is not possible with the current approach. As seen on the SimpleSAMLphp website, it is possible with the ldap:AttributeAddUsersGroups filter, but I assume it is not implemented…

Regards, Sven


#4

Its clear that is not implemented? We need this definitively


#5

You could user the memberOf overlay module:
https://help.univention.com/t/memberof-attribute-group-memberships-of-user-and-computer-objects/6439