SAML Single Sign-On as single server broken after 4.3 update (empty gray page)

vargax · April 10, 2018, 9:04pm

Hi,

After update to Univention 4.3 the SAML Single Sign-On as single server patch broken both the web console and the SSO feature (G Suite integration).

After the update I only get an empty gray page and a bunch of 404 errors accessing both through the FQDN or the IP address of the server.

After a little panic I fixed undo the changes made by the script (setting everything back to ucs-sso.my.internal.domain)

FQDN=ucs-sso.ad.activarsas.co

ucr set ucs/server/sso/autoregistraton=yes
ucr set saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php"
ucr set saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.key"
ucr set saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-certificate.crt"
ucr set ucs/server/sso/fqdn=$FQDN
ucr set umc/saml/sp-server=$FQDN
ucr set ucs/server/sso/virtualhost=true

ucr unset apache2/ssl/certificate
ucr unset apache2/ssl/key

rm /etc/apache2/ucs-sites.conf.d/servername.conf

univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

codedmind · May 14, 2018, 10:21am

Hello @vargax

Are you able to reconfigure it to use external domain?

Thanks

vargax · May 16, 2018, 6:38pm

Hi @codedmind

I setting up my environment differently. Now I use sso.myexternal.domain as a Single-Sign-On domain for both internal and external services. This domain always resolve to the external IP address.

FQDN=sso.activarsas.com
ucr set ucs/server/sso/autoregistraton=no         saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php"         saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.key"         saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-certificate.crt"         ucs/server/sso/fqdn=$FQDN         umc/saml/sp-server=$FQDN         ucs/server/sso/virtualhost=true
univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

After this change you have to update your settings in the G Suite Admin console and upload the new certificate.

codedmind · May 16, 2018, 7:15pm

@vargax how do you setup the UCS so the only have one domain? The ucs-sso isn’t created automatically based on the main domain?