Cool Solution - SAML IdP in the DMZ

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.3

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Introduction and prerequisites

SAML is becoming the default authentication mechanism for authenticating web service from a central Identity and Access Management system. UCS by default includes a SAML Identity Provider. However, if you want to allow your users to access the services from outside your network, you will need to make SAML available from the outside.

The UCS SAML IDP is only available on DC Master and DC Backup hosts. For the steps documented here the server role has to be DC Backup. After applying these the instance can not be used as a fallback for the DC Master during a "backup 2master" anymore.

The following article describes only the hardening, not possible adjustments of the DNS and SSL/PKI setup. You can find additional information on that topic in this Support Database Post.

UCS in the DMZ

Please follow the general guide on UCS reachable from the Internet. Please ignore the section on the UMC. We will deal with it separately.

Services to Deactivate

UCS comes with some services preinstalled. If you start out with a one server environment, this is great. However, you do not want all of them running in your DMZ. Thus we would recommend deactivating these.

Service Command
Docker
ucr set docker/autostart=false
Inetd
ucr set inetd/autostart=false
NFS
ucr set nfs/autostart=false
NTP Server
ucr set ntp/autostart=false
Portmap daemon
ucr set portmap/autostart=false

Please reboot the server afterward, to ensure all services have read the appropriate settings.

Samba 4

If you are using Samba 4 for your internal Domain, we do not recommend installing it in the DMZ. However, the server should have access to at least the Samba 4 on the UCS Master.

Available Ports

SAML works via HTTPS. You will need to open the HTTPS Port to the outside to access SAML. Please configure your firewall accordingly. No other ports should be made available from the outside.

Apache Configuration

Force HTTPS

Beside having only HTTPS port 443 available, it makes sense to also force the usage of HTTPS in the Apache configuration. In case (internal) connections to the server are opened using HTTP, they are forwarded to HTTPS.

The following UCR variable forces HTTPS:

ucr set apache2/force_https=true

Afterward, restart the apache web server.

systemctl restart apache2.service

Disable non-SAML web services

UCS offers three web services by default. The Management Console, the portal page, and SAML. For external availability, you want to restrict this to only providing SAML. Please note, you will not be able to administer the server from the web interface anymore, once the steps are completed. Therefore you should not execute these steps on a DC Master or your primary DC Backup.

Firstly you should disable the additional pages in the apache configuration:

a2dissite 000-default.conf
a2dissite default-ssl.conf
a2dissite univention.conf
a2dissite univention-portal.conf
a2dissite univention-server-overview.conf

As these services are default components of UCS they might be re-enabled during updates (Errata or Release Updates), so please ensure to check them after updates.

Afterward, reload the apache web server configuration:

systemctl reload apache2

Next stop the management console services

systemctl stop univention-management-console-server
systemctl stop univention-management-console-web-server

Finally disable their autostart routine

ucr set umc/http/autostart=no
ucr set umc/server/autostart=no

Change default page

As the now deactivated portal is the default page, users accessing the default page of the server will see an error. To avoid this it is recommended to change the default page. As there is no usefull service available on this system, the default page should be a "to be created" static HTML page:

ucr set apache2/startsite=<new html file below /var/www>

To apply the changes a reload of the apache configuration is needed:

systemctl reload apache2

Alternatives

Instead of disabling all services not needed to be exposed externally, it is possible to configure Apache to allow access only to internal networks (i.e. by IP based access rules in .htaccess files). As such a configuration is more complex and therefore more error-prone we've decided to deactivate the services in this How-To.

Further information and known limitations

SSL and DNS

The configuration in the article works best if the default UCS PKI is used and the server can be accessed using the "ucs-sso.<mydomain>" DNS alias. In case other certificates need to be used (for example Let's encrypt) adjustments are needed. Easiest step would be to not deactivate the default-ssl.conf for apache (Please note that this re-activates the portal page partly, which leads to an accessible but broken portal).

Updates without UMC

As the Univention Management Console is deactivated, you can not update the server using the web based tools. Beside using the command line tools it is possible to automate the deployment of UCS updates

Personal tools