Exception after Login via SSO

I activated SSO according to this article.

ucr set saml/idp/authsource=univention-negotiate

My UCS servers have the newest updates (4.4-4 errate 613).

But after I try to login via SSO, I immediately get an exception.

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Error authenticating using search username & password.
Backtrace:
4 modules/ldap/lib/ConfigHelper.php:199 (sspmod_ldap_ConfigHelper::login)
3 modules/uldap/lib/Auth/Source/uLDAP.php:57 (sspmod_uldap_Auth_Source_uLDAP::login)
2 modules/core/lib/Auth/UserPassBase.php:279 (sspmod_core_Auth_UserPassBase::handleLogin)
1 modules/core/www/loginuserpass.php:67 (require)
0 www/module.php:135 (N/A)

We replaced the ca-certificate on the Main domain controller with our own. The certificate on the domain ucs-sso.our-domain.net can be verified and our own CA is integrated correctly (at least according to Firefox).

But there are errors regarding our CA in syslog:

Backup-DC

May 24 14:56:09 ucs-backup univention-saml-stunnel: LOG4[78]: CERT: Pre-verification error: unsupported certificate purpose
May 24 14:56:09 ucs-backup univention-saml-stunnel: LOG4[78]: Rejected by CERT at depth=1: C=DE, ST=Province, L=Country, O=Our Company, OU=IT, CN=Company CA, emailAddress=email
May 24 14:56:09 ucs-backup univention-saml-stunnel: LOG3[78]: SSL_accept: 1417C086: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Main DC:

May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Library - LDAP __construct(): Setup LDAP with host='ldap://ucs-main.domain.net:7389', tls=true, debug=true, timeout=0, referrals=true
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 fd=31 ACCEPT from IP=172.16.0.31:57270 (IP=0.0.0.0:7389)
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=0 EXT oid=1.3.6.1.4.1.1466.20037
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=0 STARTTLS
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=0 RESULT oid= err=0 text=
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 fd=31 TLS established tls_ssf=256 ssf=256
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=1 BIND dn="uid=sys-idp-user,cn=users,dc=domain,dc=net" method=128
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=1 RESULT tag=97 err=49 text=
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Loading state: '_1abcaf53c63c9132a1f4956f154c3974268c80908f:https://ucs-sso.domain.net/simplesamlphp/saml2/idp/SSOService.php?spentityid=https.domain.net&cookieTime=1590324945&RelayState=71JuGRy4lUNZH0ay'
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Library - LDAP __construct(): Setup LDAP with host='ldap://ucs-main.domain.net:7389', tls=true, debug=true, timeout=0, referrals=true
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 fd=32 ACCEPT from IP=172.16.0.31:57272 (IP=0.0.0.0:7389)
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=0 EXT oid=1.3.6.1.4.1.1466.20037
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=0 STARTTLS
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=0 RESULT oid= err=0 text=
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 fd=32 TLS established tls_ssf=256 ssf=256
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=1 BIND dn="uid=sys-idp-user,cn=users,dc=domain,dc=net" method=128
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=1 RESULT tag=97 err=49 text=
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Library - LDAP __construct(): Setup LDAP with host='ldap://ucs-main.domain.net:7389', tls=true, debug=true, timeout=0, referrals=true
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 fd=33 ACCEPT from IP=172.16.0.31:57274 (IP=0.0.0.0:7389)
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=0 EXT oid=1.3.6.1.4.1.1466.20037
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=0 STARTTLS
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=0 RESULT oid= err=0 text=
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 fd=33 TLS established tls_ssf=256 ssf=256
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=1 BIND dn="uid=sys-idp-user,cn=users,dc=domain,dc=net" method=128
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=1 RESULT tag=97 err=49 text=
May 24 14:56:08 ucs-main simplesamlphp[879]: 5 STAT [27c3e0cada] Unsuccessful login attempt from 172.16.32.31.
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=2 UNBIND
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 fd=33 closed
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=2 UNBIND
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 fd=32 closed
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Backtrace:
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 1 /usr/share/simplesamlphp/www/_include.php:17 (SimpleSAML_exception_handler)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 0 [builtin] (N/A)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Caused by: Exception: Error authenticating using search username & password.
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Backtrace:
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 4 /usr/share/simplesamlphp/modules/ldap/lib/ConfigHelper.php:199 (sspmod_ldap_ConfigHelper::login)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 3 /usr/share/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php:57 (sspmod_uldap_Auth_Source_uLDAP::login)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 2 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:279 (sspmod_core_Auth_UserPassBase::handleLogin)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:67 (require)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 0 /usr/share/simplesamlphp/www/module.php:135 (N/A)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Error report with id a6df3c76 generated.
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Localization: using old system
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Template: Reading [/usr/share/simplesamlphp/dictionaries/errors]
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] /simplesamlphp/module.php/core/loginuserpass.php - Template: Could not find template file [error.php] at [/usr/share/simplesamlphp/modules/univentiontheme/themes/univention/default/error.php] - now trying the base template
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] saving key simpleSAMLphp.session.0d1f7557394765cb34b0c195b64a7938 to memcache
May 24 14:56:08 ucs-main simplesamlphp[879]: 4 [27c3e0cada] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Loading state: '_1abcaf53c63c9132a1f4956f154c3974268c80908f:https://ucs-sso.domain.net/simplesamlphp/saml2/idp/SSOService.php?spentityid=https.domain.net&cookieTime=1590324945&RelayState=71JuGRy4lUNZH0ay'
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] loading key simpleSAMLphp.session.0d1f7557394765cb34b0c195b64a7938 from memcache
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/ucs-backup.domain.net.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Backtrace:
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 9 /usr/share/simplesamlphp/www/_include.php:58 (SimpleSAML_error_handler)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 8 [builtin] (MemcachePool::get)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 7 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:58 (SimpleSAML_Memcache::get)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:45 (SimpleSAML\Store\Memcache::get)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 5 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:55 (SimpleSAML\SessionHandlerStore::loadSession)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:335 (SimpleSAML_Session::getSession)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 3 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:251 (SimpleSAML_Session::getSessionFromRequest)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 2 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/State.php:268 (SimpleSAML_Auth_State::loadState)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:17 (require)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 0 /usr/share/simplesamlphp/www/module.php:135 (N/A)
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Memcache servers out of sync for simpleSAMLphp.session.0d1f7557394765cb34b0c195b64a7938, forcing sync
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] saving key simpleSAMLphp.session.0d1f7557394765cb34b0c195b64a7938 to memcache
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=2 UNBIND
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 fd=31 closed

172.16.0.31 -> Main DC
172.16.32.31 -> Client I’ve used to test SSO

Any clues on how I could proceed?

I could solve this problem myself. For some reason the password for sys-idp-user was wrong. Overwriting it with the password in /etc/idp-ldap-user.secret got rid of the error message.
Logging in via SSO works most of the time now.

There are two problems I encountered after that:

  • Sometimes the Loginpage won’t get redirected automatically to the SSO-page. I have to login, logout and the next login usually redirects correctly. A link below the login field “Use SSO to login” would be helpful. Similar to the link “Login without SSO”.
  • After logging in via SSO it doesn’t redirect to my Main DC, instead I get the message

Access forbidden
You don’t have the needed privileges to access this application. Please contact the administrator if you find this to be incorrect.

I’m getting redirected correctly if I use my Backup DC or Member servers instead. I didn’t find anything in the documentation about allowing or disallowing access to the management console.