Cool Solution - SAML IdP in the DMZ
From Univention Wiki
- 1 Introduction and prerequisites
- 2 UCS in the DMZ
- 3 Services to Deactivate
- 4 Samba 4
- 5 Available Ports
- 6 Apache Configuration
- 7 Further information and known limitations
Introduction and prerequisites
SAML is becoming the default authentication mechanism for authenticating web service from a central Identity and Access Management system. UCS by default includes a SAML Identity Provider. However, if you want to allow your users to access the services from outside your network, you will need to make SAML available from the outside.
The UCS SAML IDP is only available on DC Master and DC Backup hosts. For the steps documented here the server role has to be DC Backup. After applying these the instance can not be used as a fallback for the DC Master during a "backup 2master" anymore.
The following article describes only the hardening, not possible adjustments of the DNS and SSL/PKI setup. You can find additional information on that topic in this Support Database Post.
UCS in the DMZ
Please follow the general guide on UCS reachable from the Internet. Please ignore the section on the UMC. We will deal with it separately.
Services to Deactivate
UCS comes with some services preinstalled. If you start out with a one server environment, this is great. However, you do not want all of them running in your DMZ. Thus we would recommend deactivating these.
ucr set docker/autostart=false
ucr set inetd/autostart=false
ucr set nfs/autostart=false
|NTP Server|| |
ucr set ntp/autostart=false
|Portmap daemon|| |
ucr set portmap/autostart=false
Please reboot the server afterward, to ensure all services have read the appropriate settings.
If you are using Samba 4 for your internal Domain, we do not recommend installing it in the DMZ. However, the server should have access to at least the Samba 4 on the UCS Master.
SAML works via HTTPS. You will need to open the HTTPS Port to the outside to access SAML. Please configure your firewall accordingly. No other ports should be made available from the outside.
Beside having only HTTPS port 443 available, it makes sense to also force the usage of HTTPS in the Apache configuration. In case (internal) connections to the server are opened using HTTP, they are forwarded to HTTPS.
The following UCR variable forces HTTPS:
ucr set apache2/force_https=true
Afterward, restart the apache web server.
systemctl restart apache2.service
Disable non-SAML web services
UCS offers three web services by default. The Management Console, the portal page, and SAML. For external availability, you want to restrict this to only providing SAML. Please note, you will not be able to administer the server from the web interface anymore, once the steps are completed. Therefore you should not execute these steps on a DC Master or your primary DC Backup.
Firstly you should disable the additional pages in the apache configuration:
a2dissite 000-default.conf a2dissite default-ssl.conf a2dissite univention.conf a2dissite univention-portal.conf a2dissite univention-server-overview.conf
As these services are default components of UCS they might be re-enabled during updates (Errata or Release Updates), so please ensure to check them after updates.
Afterward, reload the apache web server configuration:
systemctl reload apache2
Next stop the management console services
systemctl stop univention-management-console-server systemctl stop univention-management-console-web-server
Finally disable their autostart routine
ucr set umc/http/autostart=no ucr set umc/server/autostart=no
Change default page
As the now deactivated portal is the default page, users accessing the default page of the server will see an error. To avoid this it is recommended to change the default page. As there is no usefull service available on this system, the default page should be a "to be created" static HTML page:
ucr set apache2/startsite=<new html file below /var/www>
To apply the changes a reload of the apache configuration is needed:
systemctl reload apache2
Instead of disabling all services not needed to be exposed externally, it is possible to configure Apache to allow access only to internal networks (i.e. by IP based access rules in .htaccess files). As such a configuration is more complex and therefore more error-prone we've decided to deactivate the services in this How-To.
Further information and known limitations
SSL and DNS
The configuration in the article works best if the default UCS PKI is used and the server can be accessed using the "ucs-sso.<mydomain>" DNS alias. In case other certificates need to be used (for example Let's encrypt) adjustments are needed. Easiest step would be to not deactivate the default-ssl.conf for apache (Please note that this re-activates the portal page partly, which leads to an accessible but broken portal).
Updates without UMC
As the Univention Management Console is deactivated, you can not update the server using the web based tools. Beside using the command line tools it is possible to automate the deployment of UCS updates