How to Integrate SAML Single Sign-On in ownCloud App

Graphic about SAML integration for ownCloud

If you need to use various services online, which is by the way the norm, there’s nothing more conventient than using single sign-on (SSO). SSO allows you to log in to all available services in a domain with one password only. UCS provides this feature via the SAML Identity Provider since UCS 4.1.

We chose to implement SAML as the first single sign-on technology in UCS, because of its popularity in the enterprise sector, the high degree of security, and the positive experiences that we ourselves had made with SAML in the years before. Since then, a lot of services and Univention Apps already provide a SAML service provider. Now, we are working on integrating these into the UCS Identity Provider.

Step by Step Guide to a Multi-Server Environment for Effective Protection against Outages and Network Attacks

The cumulative outages of the Amazon Web Services and the attacks on the global DNS network have shown that even large and supposedly professionally protected networks are endangered, too. These incidents also make us aware of the need to distribute critical infrastructures across multiple cloud providers. This distribution is particularly important for centralized authentication services, which provide users and permissions for various services and organizational offices. An outage of a single server system would be a catastrophe for services like AWS where thousands of users and their permissions would be affected simultaneously. This is why I would like to explain to you how you can safeguard your network against outages and criminal attacks. Even if the dimension of your network probably is not comparable to the one of AWS or the DNS network.

Shed Light on the “IT jungle” with a Domain Controller

Image of a man with code in the background
The professional structure of domains and the use of domain controllers bring order to IT infrastructures. This is especially important when organizations are growing rapidly. Professional domain management allows their IT to grow dynamically. Otherwise, the infrastructure becomes a kind of “patchwork carpet” of many small solutions and unorganized resources, some of which act independently of each other, may interfere with each other and thus require a high level of maintenance. Not to mention the complexity of maintaining users twice as often and the risks associated with data replication, data protection, and system reliability.

In the following article, we first explain briefly what a domain is and then describe the tasks of a domain controller. Finally, we become practical and see how the concept of “domain/domain controllers” has been implemented in Univention Corporate Server.

RADIUS – a Powerful Tool for Safe Mobile Device Accesses

Picture of mobile with earphones

Workplaces become more remote and mobile while individuals are increasingly equipped with (private) mobile devices. In this context it is good to know about RADIUS, because private end devices require simple access to an organization’s network. At the same time you need to avoid that these devices open the doors for malware or leakage. RADIUS is such an instrument for the construction of secure, decentralized work structures and equally a powerful tool for the authentication of mobile device accesses to networks.

In the following, we like to give you a brief understanding of what RADIUS is and how you can use it with UCS.

OpenVPN to Secure your Samba Authentications Automatically

Login Illustration

Samba 4 has become the tool of choice for companies with diverse clients that seek a Linux-based central identity management. However, a growing number of organizations are offering work from home options and manage distributed operations like construction companies with a computer at every construction site or an insurance provider with several offices. The securing of all authentication processes when employees log in your network also from outside, is critical to protect your data.

But how to do that?

You need to add a VPN solution which starts before the login if you want to enjoy the advantages of single sign-on and policies that Samba provides. The following how-to will describe how to add OpenVPN to an existing Samba 4 installation to automatically secure client authentications over an untrusted network.

UCS Identity Management Manages Mail Platform With Over 30 Million Users

US Mailboxes

More than two years after the start of one of the largest projects in which Univention has been involved to date, a new mail platform with over 30 million managed end users finally went online in late 2016. UCS takes care of the identity management duties for all the user accounts.

I first reported on the challenges of the project almost a year ago in the article How can OpenLDAP with UCS be scaled to over 30 million objects?. However, it is now no longer a “gray theory” – the project has now gone live and the LDAP has had to cope with the strain of thousands of accesses every second in real time ever since.

Today, I would like to provide you with an update and share with you some of our most important findings from the going live process.

Facilitate Your Work by Integrating Listener Modules in UCS

Graphic Listen to me!

Listener modules support you in your administrative work by synchronizing and controlling all changes in the UCS’ OpenLDAP Einacross all connected services – Learn how to build and use them!

You are surely using a variety of (cloud) services in your organization and, if required, these services will make changes to your directory service, either Active Directory or OpenLDAP. In heterogeneous environments, where UCS is typically used, the question is, how can service A notice the changes that service B has made to certain objects in the directory, and that are relevant to both services? For example, when a new printer has been added to the network, and has joined the UCS domain, the list of printers is updated in the configuration file of the printer service (CUPS) and the service reloaded.

Secure Operation of Existing Applications in the Corporate Environment with Open Source Tools

Last year I submitted my Master’s thesis titled “Secure Operation of Existing Applications in the Corporate Environment with Open Source Tools”, and successfully earned my degree in IT from Bremen University of Applied Sciences. My research focused in particular on the differences and the security-related advantages/disadvantages of server virtualization compared with operating system virtualization, which had undergone much less intense testing at the time.

As I can imagine that this is a topic which will also be of interest to some of you too, I decided to summarize the most important findings of my work here:

Ansible Modules for the Automation of UCS-Specific Tasks

Ansible Logo

As a long-term Univention partner, we at Adfinis Sygroup operate UCS environments for many of our customers. We employ Ansible for automation when running different Linux distributions as it standardizes the roll-out of UCS among other things.

Up until now there weren’t any Ansible modules available for UCS-specific tasks. To remedy this, we developed modules based on the standard script interface of Univention Directory Manager for recurring tasks in the maintenance of the directory service with the goal of simplifying the process. These currently include the following:

udm_group
udm_user
udm_dns_zone
udm_dns_record
udm_share

These modules are included in the Ansible extra modules as of Ansible Version 2.2 and can be used accordingly with Ansible, as can other modules. If additional Ansible modules are developed in the future (and not yet included in Ansible itself), it will be possible to add them to individual projects. The following offers a brief explanation of how these additional Ansible modules can be installed and then provides a brief introduction to the modules listed above.

Page 1 of 41234