Modify Entity ID for SP Metadata

Infos:

  • Used Zammad version: 3.4.x
  • Used Zammad installation source: Package
  • Operating system: Ubuntu 20.04
  • Browser + version: Firefox 79.0

Expected behavior:

  • Ability to set entity id, SP cert/key / and other settings such as AuthnRequestsSigned=“true” WantAssertionsSigned=“true”

Am I missing something simple? Thanks!

Actual behavior:

  • Can’t locate place to set the values.

Steps to reproduce the behavior:

  • Can only configure IDP settings from what I can see.

Sorry I can’t answer that question.
We’re using omniauth-saml for authentication ( https://github.com/omniauth/omniauth-saml ).

I tried to find the abve mentioned keys / settings but couldn’t, thus I don’t know if they’re supported by the gem itself and if what their default values are.

The configuration options possible are visible in Zammads UI within Security -> Third-Party -> SAML. That’s about what you can configure with Zammad.

You can also find a guide that covery Keycloak here:
https://admin-docs.zammad.org/en/latest/settings/security/third-party/saml.html

Thanks @MrGeneration. The documentation only appears to cover setting the IDP certificate in the configuration.

In the omniauth-saml it would be great if at least the following were availble via the UI as individual fields, or maybe allow a custom JSON struct to be added with advanced features that is passed to the underlying library?

  • :issuer - The name of your application. Some identity providers might need this to establish the identity of the service provider requesting the login. Required .
  • settings.certificate = “CERTIFICATE TEXT WITH HEAD AND FOOT”
  • settings.private_key = “PRIVATE KEY TEXT WITH HEAD AND FOOT”
  • settings.security[:authn_requests_signed] = true # Enable or not signature on AuthNRequest
  • settings.security[:logout_requests_signed] = true # Enable or not signature on Logout Request
  • settings.security[:logout_responses_signed] = true # Enable or not signature on Logout Response
  • settings.security[:want_assertions_signed] = true # Enable or not the requirement of signed assertion
  • settings.security[:metadata_signed] = true # Enable or not signature on Metadata

These options are described https://github.com/omniauth/omniauth-saml/issues/141, https://github.com/onelogin/ruby-saml#signing and under https://github.com/onelogin/ruby-saml#signing (the last bullet on this page).

These are all common options and requirements for many SAML implementations. As it allows for signing/encryption of metadata being passed across the internet beyond just SSL from the webserver.

It would also be great if we could manage group membership via attributes from SAML attribute isMemberOf (for example) as well as specify which URN use for all different attributes that could feed into user profiles such as Name, email, department, group membership, roles, etc…

Thank you for your time!
Tom

Sorry, I can’t really provide input on your request.
In my opinion that’d be a feature request.

In general if you’re trying to use options that potentially weaken security, chances may decrease. :x
But there’s no fast forward for that except for custom changes on your code which I wouldn’t suggest.

How would I put in a feature request? Also, these features would actually improve security such as a signing and encryption between the IDP and the SP.

Please create your feature request on this board.
( https://community.zammad.org/c/Stuff-you-like-Zammad-to-have-Feel-free-to-discuss-and-add-proposals/6 )

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.