How-to: Configure SAML/Kerberos for use in Browser

How to Configure your Browser to use your Windows Login to authenticate via SAML/Kerberos.


  • Your Windows Client has to be joined into the UCS Samba/AD
  • Your Ubuntu Client has to be joined via univention-domain-join

Step 1

Install the RootCA of your UCS domain into your OS certificate cache and/or your browser’s certificate cache.

Step 2

To allow Kerberos authentication at the identity provider, the Univention Configuration Registry variable saml/idp/authsource has to be changed from univention-ldap to univention-negotiate on your UCS master and each ucs-sso configured server.

Step 3

Your Kerberos ticket is a precious piece of information, like your password, so your browser won’t just send it everywhere. You need to configure a permission for any domain you want to use your login with.

Open about:config and search for network.negotiate-auth.trusted-uris.
Change it’s value to ucs-sso.<DOMAIN>.<TLD>.

Chrome / IE / Edge
Go to the Windows System Control Panel and open Internet Options → Security → Local Intranet → Sites → Advanced and add https://ucs-sso.<DOMAIN>.<TLD>

Step 4

Configure portal(s) (UMC -> Domain -> Portal settings) to redirect anonymous user to the login page:
configure anonymous users redirect

You now should be able to open the UMC without further login.

See also: