Configure SAML Single Sign-On as single server solution

ucs-4-1
dns
saml
records
single_sign-on
sso
fqdn
servername

#1

Problem

The default UCS Single Sign-On setup consists of an additional DNS Record that is shared between master and backup servers to provide a failsafe setup.
That default DNS Record is ucs-sso.domainname.
In certain setups, e.g. when operating UCS in a cloud scenario, only one external DNS Record is available for a server.

Solution

The following commands have to be executed to configure the single sign-on identity provider for a different DNS Record.

FQDN=externaldns.ucsmaster.example

ucr set ucs/server/sso/autoregistraton=no \
        saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
        saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.key" \
        saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-certificate.crt" \
        ucs/server/sso/fqdn=$FQDN \
        umc/saml/sp-server=$FQDN \
        ucs/server/sso/virtualhost=false \
        apache2/ssl/certificate=/etc/univention/ssl/${FQDN}/cert.pem \
        apache2/ssl/key=/etc/univention/ssl/${FQDN}/private.key
       
echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername.conf

univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

The server can now be accessed by its external DNS Name, in this example https://externaldns.ucsmaster.example.

Warning

This configuration will enable an apache wide suexec configuration for the single sign-on. Webpages and Apps that require cgi scripts to be executed will run into problems, check /var/log/apache2/suexec.log. These programs need to be adapted seperately.

SAML/Kerberos

If SAML/Kerberos with Samba4 should be used with this scenario, the following additional steps have to be performed. Note: The domainname for the internal and external domain have to be equal, i.e. equal the kerberos realm. Configuring saml+kerberos in any other scenario is out of scope here

# Enable saml/kerberos:
ucr set saml/idp/authsource=univention-negotiate

# Update the Kerberos configuration
spn_account_name="ucs-sso"
servicePrincipalName="HTTP/$FQDN"
samba-tool spn add "$servicePrincipalName" "$spn_account_name"
spn_account_name_password=$(</etc/simplesamlphp/ucs-sso-kerberos.secret)
msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb \
    samAccountName="$spn_account_name" msDS-KeyVersionNumber \
    | sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p')

ldbmodify -H /var/lib/samba/private/secrets.ldb <<-%EOF
dn: samAccountName=$spn_account_name,CN=Principals
changetype: modify
replace: secret
secret: $spn_account_name_password
-
replace: msDS-KeyVersionNumber
msDS-KeyVersionNumber: $msdsKeyVersion
-
add: servicePrincipalName
servicePrincipalName: $servicePrincipalName
%EOF

cp /var/lib/samba/private/simplesamlphp.keytab /etc/simplesamlphp.keytab

SAML Single Sign-On as single server broken after 4.3 update (empty gray page)
Office 365 Connector