I activated SSO according to this article.
ucr set saml/idp/authsource=univention-negotiate
My UCS servers have the newest updates (4.4-4 errate 613).
But after I try to login via SSO, I immediately get an exception.
SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Error authenticating using search username & password.
Backtrace:
4 modules/ldap/lib/ConfigHelper.php:199 (sspmod_ldap_ConfigHelper::login)
3 modules/uldap/lib/Auth/Source/uLDAP.php:57 (sspmod_uldap_Auth_Source_uLDAP::login)
2 modules/core/lib/Auth/UserPassBase.php:279 (sspmod_core_Auth_UserPassBase::handleLogin)
1 modules/core/www/loginuserpass.php:67 (require)
0 www/module.php:135 (N/A)
We replaced the ca-certificate on the Main domain controller with our own. The certificate on the domain ucs-sso.our-domain.net can be verified and our own CA is integrated correctly (at least according to Firefox).
But there are errors regarding our CA in syslog:
Backup-DC
May 24 14:56:09 ucs-backup univention-saml-stunnel: LOG4[78]: CERT: Pre-verification error: unsupported certificate purpose
May 24 14:56:09 ucs-backup univention-saml-stunnel: LOG4[78]: Rejected by CERT at depth=1: C=DE, ST=Province, L=Country, O=Our Company, OU=IT, CN=Company CA, emailAddress=email
May 24 14:56:09 ucs-backup univention-saml-stunnel: LOG3[78]: SSL_accept: 1417C086: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Main DC:
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Library - LDAP __construct(): Setup LDAP with host='ldap://ucs-main.domain.net:7389', tls=true, debug=true, timeout=0, referrals=true
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 fd=31 ACCEPT from IP=172.16.0.31:57270 (IP=0.0.0.0:7389)
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=0 EXT oid=1.3.6.1.4.1.1466.20037
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=0 STARTTLS
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=0 RESULT oid= err=0 text=
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 fd=31 TLS established tls_ssf=256 ssf=256
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=1 BIND dn="uid=sys-idp-user,cn=users,dc=domain,dc=net" method=128
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=1 RESULT tag=97 err=49 text=
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Loading state: '_1abcaf53c63c9132a1f4956f154c3974268c80908f:https://ucs-sso.domain.net/simplesamlphp/saml2/idp/SSOService.php?spentityid=https.domain.net&cookieTime=1590324945&RelayState=71JuGRy4lUNZH0ay'
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Library - LDAP __construct(): Setup LDAP with host='ldap://ucs-main.domain.net:7389', tls=true, debug=true, timeout=0, referrals=true
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 fd=32 ACCEPT from IP=172.16.0.31:57272 (IP=0.0.0.0:7389)
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=0 EXT oid=1.3.6.1.4.1.1466.20037
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=0 STARTTLS
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=0 RESULT oid= err=0 text=
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 fd=32 TLS established tls_ssf=256 ssf=256
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=1 BIND dn="uid=sys-idp-user,cn=users,dc=domain,dc=net" method=128
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=1 RESULT tag=97 err=49 text=
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Library - LDAP __construct(): Setup LDAP with host='ldap://ucs-main.domain.net:7389', tls=true, debug=true, timeout=0, referrals=true
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 fd=33 ACCEPT from IP=172.16.0.31:57274 (IP=0.0.0.0:7389)
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=0 EXT oid=1.3.6.1.4.1.1466.20037
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=0 STARTTLS
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=0 RESULT oid= err=0 text=
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 fd=33 TLS established tls_ssf=256 ssf=256
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=1 BIND dn="uid=sys-idp-user,cn=users,dc=domain,dc=net" method=128
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=1 RESULT tag=97 err=49 text=
May 24 14:56:08 ucs-main simplesamlphp[879]: 5 STAT [27c3e0cada] Unsuccessful login attempt from 172.16.32.31.
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 op=2 UNBIND
May 24 14:56:08 ucs-main slapd[1358]: conn=2806 fd=33 closed
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 op=2 UNBIND
May 24 14:56:08 ucs-main slapd[1358]: conn=2805 fd=32 closed
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Backtrace:
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 1 /usr/share/simplesamlphp/www/_include.php:17 (SimpleSAML_exception_handler)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 0 [builtin] (N/A)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Caused by: Exception: Error authenticating using search username & password.
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Backtrace:
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 4 /usr/share/simplesamlphp/modules/ldap/lib/ConfigHelper.php:199 (sspmod_ldap_ConfigHelper::login)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 3 /usr/share/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php:57 (sspmod_uldap_Auth_Source_uLDAP::login)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 2 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:279 (sspmod_core_Auth_UserPassBase::handleLogin)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:67 (require)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 0 /usr/share/simplesamlphp/www/module.php:135 (N/A)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Error report with id a6df3c76 generated.
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Localization: using old system
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Template: Reading [/usr/share/simplesamlphp/dictionaries/errors]
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] /simplesamlphp/module.php/core/loginuserpass.php - Template: Could not find template file [error.php] at [/usr/share/simplesamlphp/modules/univentiontheme/themes/univention/default/error.php] - now trying the base template
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] saving key simpleSAMLphp.session.0d1f7557394765cb34b0c195b64a7938 to memcache
May 24 14:56:08 ucs-main simplesamlphp[879]: 4 [27c3e0cada] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Loading state: '_1abcaf53c63c9132a1f4956f154c3974268c80908f:https://ucs-sso.domain.net/simplesamlphp/saml2/idp/SSOService.php?spentityid=https.domain.net&cookieTime=1590324945&RelayState=71JuGRy4lUNZH0ay'
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] loading key simpleSAMLphp.session.0d1f7557394765cb34b0c195b64a7938 from memcache
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/ucs-backup.domain.net.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] Backtrace:
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 9 /usr/share/simplesamlphp/www/_include.php:58 (SimpleSAML_error_handler)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 8 [builtin] (MemcachePool::get)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 7 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:58 (SimpleSAML_Memcache::get)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:45 (SimpleSAML\Store\Memcache::get)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 5 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:55 (SimpleSAML\SessionHandlerStore::loadSession)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:335 (SimpleSAML_Session::getSession)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 3 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:251 (SimpleSAML_Session::getSessionFromRequest)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 2 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/State.php:268 (SimpleSAML_Auth_State::loadState)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:17 (require)
May 24 14:56:08 ucs-main simplesamlphp[879]: 3 [27c3e0cada] 0 /usr/share/simplesamlphp/www/module.php:135 (N/A)
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] Memcache servers out of sync for simpleSAMLphp.session.0d1f7557394765cb34b0c195b64a7938, forcing sync
May 24 14:56:08 ucs-main simplesamlphp[879]: 7 [27c3e0cada] saving key simpleSAMLphp.session.0d1f7557394765cb34b0c195b64a7938 to memcache
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 op=2 UNBIND
May 24 14:56:08 ucs-main slapd[1358]: conn=2804 fd=31 closed
172.16.0.31 -> Main DC
172.16.32.31 -> Client I’ve used to test SSO
Any clues on how I could proceed?