SAML Identity Provider

From Univention Wiki

Revision as of 11:50, 12 August 2013 by Damrose (talk | contribs) (Initial release)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Produktlogo UCS Version 3.2


link= Identity Provider
Single Sign-On page for a service provider

SAML Identity Provider is an app for UCS which is based on SimpleSAMLphp. It allows the configuration of an identity provider which can be used to authenticate and authorize users who wish to use external service providers. This allows domain users to use external services with their domain credentials as a Single Sign On (SSO) solution.


SAML Identity Provider is available through the App Center and can be installed using the corresponding UMC App Center module.


Basic settings

UCR variables control the basic behaviour of SimpleSAMLphp. The most important are mentioned here with descriptions that are helpful to understand SimpleSAMLphp's configuration.

saml/idp/ldap/get_attributes: The list of ldap user attributes that are read from ldap after succesful user authentication. Values that are not mentioned here cannot be evaluated for authentication or forwarded to the service provider. (default: 'uid', 'mailPrimaryAddress', 'enabledServiceProviderIdentifier')
saml/idp/ldap/search_attributes: A list of ldap attributes that are filtered for the provided username (default: 'uid', 'mailPrimaryAddress')
saml/idp/certificate/certificate: The service provider needs to know if the SAML message with the info about successful originates from the correct identity provider. The SAML message is therefore cryptographically signed by a public-private key pair. This UCR variable contains the path to the public part of that key pair. During installation of the SAML Identity Provider app, new keys are generated. If you change these keys the current public key has to be uploaded to service providers.
saml/idp/certificate/privatekey: The path to the private key used to sign messages to the service provider.
saml/idp/technicalcontactname: The name of a helpdesk contact which is shown to the user when he encounters problems with the identity provider.
saml/idp/technicalcontactemail: A contact email address which is shown to the user when he encounters problems with the identity provider.

Allowed users

Configure users to allow usage of a service provider

By default no user is allowed to use any service provider. Users can be activated by adding any configured service provider on the users 'Account' tab in the section 'SAML settings'.

Adding service providers

Configure basic service provider options
Configure optional service provider options

Service provider configuration is done with univention-directory-manager (udm). The udm module is called saml/serviceprovider. At least 2 Parameters have to be provided (but are probably not sufficient) for each service provider:

Identifier: The identifier with which the service provider is recognized at the identity provider.
AssertionConsumerService: The URL of the AssertionConsumerService endpoint for this service provider. Users will be redirected to this URL after authentication.

In addition the following options have to be configured for most service providers:

NameIDFormat: The NameIDFormat this SP should receive. Example: urn:oasis:names:tc:SAML:2.0:nameid-format:email
simplesamlNameIDAttribute: The ldap attribute that should be used by the NameIDFormat option mentioned above. Example: uid

Additional options include a list of the users ldap attributes that should be included in the SAML assertions message as well as settings to configure additional information that is presented to the user about the service provider, e.g. a displayname or a privacy policy. An overview of available options and their description is displayed when executing

udm saml/serviceprovider

To change service provider options one can use univention-directory-manager or the UMC LDAP browser. The service provider definitions can be found at the position [ldap-base]/univention/saml-serviceprovider

Example configuration of a service provider

In this example google apps is configured as a service provider for single sign on of domain users. A valid (test-)account of google apps is necessary to follow this example; its creation is beyond the scope of this article.

In this howto section the configured google apps domain is Whenever this domain is mentioned, it should be replaced by the domain configured for your test environment.

First, a testuser should be created inside the new google apps account, which has to have the same username as the UCS user that will be used to test the service provider (e.g. testuser).

To enable single sign on in the google apps admin console, the security control widget has to be opened. The single sign on settings can be accessed by selection advanced settings. After ticking the Enable Single Sign-On checkbox, several URLs have to be provided. The sign-in page URL should be set to

http://[FQDN or IP address]/simplesamlphp/saml2/idp/SSOService.php

The domain name or the ip address of the UCS server can be used. As the SAML messages are transfered by the client browser, a private ip address can be used. It is only necessary that the client can access both the UCS server URL and the service provider. The sign-out page URL should be set to

http://[FQDN or IP address]/simplesamlphp/saml2/idp/initSLO.php?RelayState=/simplesaml/logout.php

The change password URL must be provided but is not needed for initial testing, so any URL will suffice.

Next, the identity provider's public certificate has to be uploaded. By default it is available on the UCS server in the following location:


where FQDN is the name of the server where the SAML Identity Provider app has been installed.

The last checkbox defines which issuer or identifier will be send to the identity provider. If not checked, will be send as the identifier, which works for our example.

After saving the changes, the service provider can be configured on the UCS server. We need the URL of the google apps account domain(e.g. The following univention-directory-manager command will create the service provider (remember to replace the google apps URL):

udm saml/serviceprovider create \
  --position "cn=saml-serviceprovider,cn=univention,dc=intra,dc=net" \
  --set \
  --set NameIDFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:email" \
  --set simplesamlAttributes="false" \
  --set AssertionConsumerService="" \
  --set simplesamlNameIDAttribute="uid"

Now the testuser has to be configured to be able to use the new service provider. On the Account tab of the testuser account the service provider has to be added. After that, there are two ways to access google apps as the testuser:

- Via the google apps login page: Use a webbrowser to navigate to the following URL, enter and click on Login. The browser should be redirected to the single sign on page.

- Directly from the identity provider. The session starts at the identity provider by adding the service provider information as parameters to the URL. Point the webbrowser to the following URL, where the authentication webpage is presented to the user.


On the identity provider login page enter the local username and password. After successful authentication and authorization the browser will be redirected to the google apps dashboard, already logged in with the testuser.


To test or debug the current settings, set the UCR variable saml/idp/log/debug/enabled to TRUE. The loglevel can be configured with the UCR variable saml/idp/log/level, which is set to NOTICE by default. For debugging purposes INFO or DEBUG can be used. The debug output can be found in /var/log/syslog.

Known Issues


Personal tools