Configure SAML Single Sign-On as single server solution

Knowledge Base Supported
, , , , , , , ,
#1

Please be advised: This article describes a very rare scenario. One UCS DC Master is reconfigured, and no other UCS servers are in the domain or will ever be joined.

For a detailed overview of UCS Single Sign On configuration see article 16161

Problem

The default UCS Single Sign-On setup consists of an additional DNS Record that is shared between master and backup servers to provide a failsafe setup.
That default DNS Record is ucs-sso.domainname.
In certain setups, e.g. when operating UCS in a cloud scenario, only one external DNS Record is available for a server.

Solution

The following commands have to be executed to configure the single sign-on identity provider for a different DNS Record.

FQDN=externaldns.ucsmaster.example

ucr set ucs/server/sso/autoregistraton=no \
        saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
        ucs/server/sso/fqdn=$FQDN \
        umc/saml/sp-server=$FQDN \
        ucs/server/sso/virtualhost=false \
        apache2/ssl/certificate=/etc/univention/ssl/${FQDN}/cert.pem \
        apache2/ssl/key=/etc/univention/ssl/${FQDN}/private.key
       
echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername.conf

univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

The server can now be accessed by its external DNS Name, in this example https://externaldns.ucsmaster.example.

Warning

This configuration will enable an apache wide suexec configuration for the single sign-on. Webpages and Apps that require cgi scripts to be executed will run into problems, check /var/log/apache2/suexec.log. These programs need to be adapted seperately.

SAML/Kerberos

If SAML/Kerberos with Samba4 should be used with this scenario, the following additional steps have to be performed. Note: The domainname for the internal and external domain have to be equal, i.e. equal the kerberos realm. Configuring saml+kerberos in any other scenario is out of scope here

# Enable saml/kerberos:
ucr set saml/idp/authsource=univention-negotiate

# Update the Kerberos configuration
spn_account_name="ucs-sso"
servicePrincipalName="HTTP/$FQDN"
samba-tool spn add "$servicePrincipalName" "$spn_account_name"
spn_account_name_password=$(</etc/simplesamlphp/ucs-sso-kerberos.secret)
msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb \
    samAccountName="$spn_account_name" msDS-KeyVersionNumber \
    | sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p')

ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF
dn: samAccountName=$spn_account_name,CN=Principals
changetype: modify
replace: secret
secret: $spn_account_name_password
-
replace: msDS-KeyVersionNumber
msDS-KeyVersionNumber: $msdsKeyVersion
-
add: servicePrincipalName
servicePrincipalName: $servicePrincipalName
%EOF

cp /var/lib/samba/private/simplesamlphp.keytab /etc/simplesamlphp.keytab
2 Likes
Problem: SSO is not working with a let's encrypt certificate and the sso-single-server-solution
SAML Single Sign-On as single server broken after 4.3 update (empty gray page)
Problem: Changing ucs-sso login from master.schein.sun to portal.schein.sun
Office 365 Connector
Unable to install Let's Encrypt - Error performing the action
SSO & Let's Encrypt
Implement SAML SSO in RocketChat Univention UCS Server
Problem with UCS Saml SSO
Unable to install Let's Encrypt - Error performing the action
Cool Solution - SAML IdP in the DMZ
SAML error - Internal Error
SAML internal server error
SAML behind nginx
GSUITE Connector und URLs
New openid app - saml required?
Überprüfüng der SAML Zertifikate fehlgeschlagen - fehlender UCR Eintrag?
Mastodon