Hallo - I noticed an information, that my current version 4.4-9 errata1229 will get in trouble after 01.08.2022 - because the root certificate will expire.
At the moment, the read permission for the group ‘DC Backup Hosts’ is not set by default. This has to be done manually to make sure, the backup server can read the certificate from the master.
In the past there were some problems with this as “DC Backup Hosts” is an LDAP group; if you try to lookup that group on a host which is not yet joined or connection to the LDAP server does not work (because it is currently not running or its SSL certificate expired ) the lookup fails and the permissions are not changed.
Basically all files below /etc/univention/ssl/ should be owned by user root and group “DC Backup Hosts”, but some are not; this is known Bug #50807.
The diagnostics module 04_saml_certificate_check.py might be buggy: Bug #49417
After you updated the host certificate it must be also included in some local XML file /usr/share/univention-management-console/saml/idp/${FQHN}.xml but also uploaded into the LDAP server. The above mentiond help article includes univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst for that, which should have done it but it looks like it did not work for you.
Try to execute /usr/share/univention-management-console/saml/update_metadata locally as user root to just update the certificate in LDAP. Repeat that for your Backup.
If it still does not work please post the output of the following two commands here:
Your local certificate: cat /etc/univention/ssl/$(hostname -f)/cert.pem
The certificates currently stored in LDAP: univention-ldapsearch -LLL '(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider))' serviceProviderMetadata
The later requires post-processing as it is a base64-encoded XML document containing among others your base64-encoded certificate.
Neither /usr/share/univention-management-console/saml/update_metadata nor univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst do help and the problem persist.
I’ve seen this kind of issue in 3 installations, 2 of them were upgraded to 5.0(-2) within the last two weeks.
No hard proof for his, but when I set up SAML SSO under UCS v5.0-1 with Windfluechter/setupSSO.sh: Small script to setup SAML SSO for Univention UCS - setupSSO.sh - Codeberg.org I don’t remember that System Diagnostics showed any issues with SAML. Maybe something changed with the last errata updates? But no idea, though…