Please be advised: This article describes a very rare scenario. One UCS DC Master is reconfigured, and no other UCS servers are in the domain or will ever be joined.
For a detailed overview of UCS Single Sign On configuration see article 16161
Problem
The default UCS Single Sign-On setup consists of an additional DNS Record that is shared between master and backup servers to provide a failsafe setup.
That default DNS Record is ucs-sso.domainname.
In certain setups, e.g. when operating UCS in a cloud scenario, only one external DNS Record is available for a server.
Solution
The following commands have to be executed to configure the single sign-on identity provider for a different DNS Record.
FQDN=externaldns.ucsmaster.example
ucr set ucs/server/sso/autoregistraton=no \
saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
ucs/server/sso/fqdn=$FQDN \
umc/saml/sp-server=$FQDN \
ucs/server/sso/virtualhost=false \
apache2/ssl/certificate=/etc/univention/ssl/${FQDN}/cert.pem \
apache2/ssl/key=/etc/univention/ssl/${FQDN}/private.key
echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername.conf
univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
The server can now be accessed by its external DNS Name, in this example https://externaldns.ucsmaster.example.
Warning
This configuration will enable an apache wide suexec configuration for the single sign-on. Webpages and Apps that require cgi scripts to be executed will run into problems, check /var/log/apache2/suexec.log. These programs need to be adapted seperately.
SAML/Kerberos
If SAML/Kerberos with Samba4 should be used with this scenario, the following additional steps have to be performed. Note: The domainname for the internal and external domain have to be equal, i.e. equal the kerberos realm. Configuring saml+kerberos in any other scenario is out of scope here
# Enable saml/kerberos:
ucr set saml/idp/authsource=univention-negotiate
# Update the Kerberos configuration
spn_account_name="ucs-sso"
servicePrincipalName="HTTP/$FQDN"
samba-tool spn add "$servicePrincipalName" "$spn_account_name"
spn_account_name_password=$(</etc/simplesamlphp/ucs-sso-kerberos.secret)
msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb \
samAccountName="$spn_account_name" msDS-KeyVersionNumber \
| sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p')
ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF
dn: samAccountName=$spn_account_name,CN=Principals
changetype: modify
replace: secret
secret: $spn_account_name_password
-
replace: msDS-KeyVersionNumber
msDS-KeyVersionNumber: $msdsKeyVersion
-
add: servicePrincipalName
servicePrincipalName: $servicePrincipalName
%EOF
cp /var/lib/samba/private/simplesamlphp.keytab /etc/simplesamlphp.keytab