Same problem over here as well. SAML is working, though, which seems to confirm the problem is with the diagnostic script.
When follwing your instructions you can see that the SSL certs are different (output shortened):
root@ucs:~# cat /etc/univention/ssl/$(hostname -f)/cert.pem | tail -n 3
root@ucs:~# univention-ldapsearch -LLL "(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$(hostname -f)/univention/saml/metadata))" serviceProviderMetadata | ldapsearch-wrapper | ldapsearch-decode64 | grep -B3 "</ds:X509Certificate>" | head -n 3
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst do help and the problem persist.
I’ve seen this kind of issue in 3 installations, 2 of them were upgraded to 5.0(-2) within the last two weeks.
No hard proof for his, but when I set up SAML SSO under UCS v5.0-1 with Windfluechter/setupSSO.sh: Small script to setup SAML SSO for Univention UCS - setupSSO.sh - Codeberg.org I don’t remember that System Diagnostics showed any issues with SAML. Maybe something changed with the last errata updates? But no idea, though…