How to make SAML identity provider redundant?


#1

At the moment we have two Univention Corporate Servers running.

But how do we create a failover for the SAML identity provider?
All our services are linked to the master UCS.

Your advice is welcome!


#2

Hey,

as far as I’ve understood SAML and how it’s implemented in Univention is that you should use the DNS entry “ucs-sso.your-fully-qualified-domain-name” as the endpoint. That entry will resolve to all servers on which the “univention-saml” package is installed (which is the DC master and all DC backups by default).

See Univention’s SAML documentation.

What exactly do you mean by “all our services are linked to the master”?

Kind regards,
mosu


#3

Hi Mosu,

At the moment we have only one A Host record for “ucs-sso.your-fully-qualified-domain-name”
For testing purposes I changed the IP address to that of our second UCS.

Unfortunately SAML login fails, because the signatures are not identical.

opensaml::SecurityPolicyException at (sp.example.com/Shibboleth.sso/SAML2/POST)
Message was signed, but signature could not be verified.

What should we do to get identical signatures?


#4

Just to be sure: are those two UCS servers part of the same UCS domain? Otherwise it won’t work.

Next: have all join scripts been run on both servers? The join script is responsible for creating/downloading the certificate if I understand that code correctly.

Last: please post the output of “ucr search --brief saml” from both servers. Thanks.


#5

Both servers are added to the domain finalist.lcl.
On both servers the state of all join scripts is “successful”

This is the output you requested.

repository/online/component/simplesamlphp_20140304/description: SAML identity provider
repository/online/component/simplesamlphp_20140304/localmirror: false
repository/online/component/simplesamlphp_20140304/server: appcenter.software-univention.de
repository/online/component/simplesamlphp_20140304/unmaintained: disabled
repository/online/component/simplesamlphp_20140304/version: current
repository/online/component/simplesamlphp_20140304: enabled
saml/idp/certificate/certificate: /etc/simplesamlphp/p-ucs-master.finalist.lcl-idp-certificate.crt
saml/idp/certificate/privatekey: /etc/simplesamlphp/p-ucs-master.finalist.lcl-idp-certificate.key
saml/idp/enableSAML20-IdP: true
saml/idp/https: true
saml/idp/ldap/debug:
saml/idp/ldap/enable_tls:
saml/idp/ldap/get_attributes: ‘uid’, ‘mailPrimaryAddress’, ‘enabledServiceProviderIdentifier’, ‘memberOf’,‘givenName’,‘sn’,‘displayName’,‘cn’
saml/idp/ldap/search_attributes: ‘uid’, ‘mailPrimaryAddress’
saml/idp/log/debug/enabled:
saml/idp/log/level:
saml/idp/lookandfeel/theme: univentiontheme:univention
saml/idp/technicalcontactemail: beheer@xxxxxxx.nl
saml/idp/technicalcontactname: Finalist Systeembeheerders
saml/idp/timezone:

repository/online/component/simplesamlphp_20140304/description: SAML identity provider
repository/online/component/simplesamlphp_20140304/localmirror: false
repository/online/component/simplesamlphp_20140304/server: appcenter.software-univention.de
repository/online/component/simplesamlphp_20140304/unmaintained: disabled
repository/online/component/simplesamlphp_20140304/version: current
repository/online/component/simplesamlphp_20140304: enabled
saml/idp/certificate/certificate: /etc/simplesamlphp/p-ucs-slave.finalist.lcl-idp-certificate.crt
saml/idp/certificate/privatekey: /etc/simplesamlphp/p-ucs-slave.finalist.lcl-idp-certificate.key
saml/idp/enableSAML20-IdP: true
saml/idp/https: true
saml/idp/ldap/debug:
saml/idp/ldap/enable_tls:
saml/idp/ldap/get_attributes: ‘uid’, ‘mailPrimaryAddress’, ‘enabledServiceProviderIdentifier’, ‘memberOf’,‘givenName’,‘sn’,‘displayName’,‘cn’
saml/idp/ldap/search_attributes: ‘uid’, ‘mailPrimaryAddress’
saml/idp/log/debug/enabled:
saml/idp/log/level:
saml/idp/lookandfeel/theme: univentiontheme:univention
saml/idp/technicalcontactemail: beheer@xxxxxxx.nl
saml/idp/technicalcontactname: Finalist Systeembeheerders
saml/idp/timezone:


#6

Hi Mosu,

The signature issue is solved. I copied the .crt and the .key file to the other server and changed the UCR variables. Now both are equal.

saml/idp/certificate/certificate: /etc/simplesamlphp/p-ucs-master.finalist.lcl-idp-certificate.crt
saml/idp/certificate/privatekey: /etc/simplesamlphp/p-ucs-master.finalist.lcl-idp-certificate.key


#7

Another question

Are IdP sessions shared between both servers?
Is Session management implemented in UCS?
simplesamlphp.org/docs/stable/s … #section_2


#8

Yes the sessions are replicated between both servers using the memcached session management from simplesamlphp.

Some more technical detail is available at: univention.com/2015/11/sing … r-ucs-4-1/


#9

I think that we have some issues with memcache. The following is from the error log of Apache2.

root@p-ucs-slave:/var/log/apache2# tail -f error.log
[Sat Feb 06 11:43:01 2016] [error] [client 173.245.53.97] PHP Notice: MemcachePool::get(): Server unix:///var/run/univention-saml/p-ucs-master.xxx.lcl.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 41, referer: univention.xxx.nl/simplesamlphp … 534950345c
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: Undefined index: p-ucs-slave.xxx.lcl/univention- … l/metadata in /etc/simplesamlphp/metadata.d/https:__p-ucs-slave.xxx.lcl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Warning: array_merge(): Argument #1 is not an array in /etc/simplesamlphp/metadata.d/https:__p-ucs-slave.xxx.lcl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: Undefined index: p-ucs-master.xxx.lcl/univention … l/metadata in /etc/simplesamlphp/metadata.d/https:__p-ucs-master.xxx.lcl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Warning: array_merge(): Argument #1 is not an array in /etc/simplesamlphp/metadata.d/https:__p-ucs-master.xxx.lcl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: Undefined index: univention.xxx.nl/univention-ma … l/metadata in /etc/simplesamlphp/metadata.d/https:__univention.xxx.nl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Warning: array_merge(): Argument #1 is not an array in /etc/simplesamlphp/metadata.d/https:__univention.xxx.nl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: MemcachePool::set(): Server unix:///var/run/univention-saml/p-ucs-master.xxx.lcl.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 134
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: MemcachePool::get(): Server unix:///var/run/univention-saml/p-ucs-master.xxx.lcl.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 41


#10

Can you tell me what the output of the following command is:

ps aufx | grep -e stunnel -e memcache
iptables -L
ls -l /var/run/univention-saml/

Maybe invoke-rc.d univention-saml restart helps!


#11

root@p-ucs-master:/tmp# ps aufx | grep -e stunnel -e memcache
root 8182 0.0 0.0 9272 1900 pts/0 S+ 12:50 0:00 _ grep -e stunnel -e memcache
samlcgi 4486 0.0 0.6 70160 13236 ? Sl 11:13 0:00 /usr/bin/memcached -m 64 -s /var/run/univention-saml/memcached.socket -u samlcgi
samlcgi 4543 0.0 0.1 96072 4008 ? Ss 11:13 0:00 /usr/bin/stunnel4 /etc/stunnel/univention_saml.conf

root@p-ucs-master:/tmp# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere
ACCEPT tcp – anywhere anywhere tcp dpt:customs
ACCEPT tcp – anywhere anywhere tcp dpt:7636
ACCEPT tcp – anywhere anywhere tcp dpt:sunrpc
ACCEPT tcp – anywhere anywhere tcp dpts:32765:32769
ACCEPT tcp – anywhere anywhere tcp dpt:kshell
ACCEPT udp – anywhere anywhere udp dpt:4660
ACCEPT tcp – anywhere anywhere tcp dpt:kerberos
ACCEPT tcp – anywhere anywhere tcp dpt:7389
ACCEPT tcp – anywhere anywhere tcp dpt:time
ACCEPT tcp – anywhere anywhere tcp dpt:kpasswd
ACCEPT udp – anywhere anywhere udp dpt:kerberos
ACCEPT udp – anywhere anywhere udp dpt:nfs
ACCEPT tcp – anywhere anywhere tcp dpt:4660
ACCEPT udp – anywhere anywhere udp dpts:32765:32769
ACCEPT tcp – anywhere anywhere tcp dpt:domain
ACCEPT udp – anywhere anywhere udp dpt:ntp
ACCEPT udp – anywhere anywhere udp dpt:kpasswd
ACCEPT tcp – anywhere anywhere tcp dpt:http
ACCEPT tcp – anywhere anywhere tcp dpt:https
ACCEPT tcp – anywhere anywhere tcp dpt:9990
ACCEPT udp – anywhere anywhere udp dpt:domain
ACCEPT tcp – anywhere anywhere tcp dpt:nfs
ACCEPT tcp – anywhere anywhere tcp dpt:nrpe
ACCEPT tcp – anywhere anywhere tcp dpt:ldaps
ACCEPT tcp – anywhere anywhere tcp dpt:6670
ACCEPT tcp – anywhere anywhere tcp dpt:ssh
ACCEPT udp – anywhere anywhere udp dpt:tftp
ACCEPT tcp – anywhere anywhere tcp dpt:ldap
ACCEPT tcp – anywhere anywhere tcp dpt:7777
ACCEPT udp – anywhere anywhere udp dpt:7777
ACCEPT tcp – anywhere anywhere tcp dpt:6669
ACCEPT tcp – anywhere anywhere tcp dpt:3128
ACCEPT tcp – anywhere anywhere tcp dpt:kerberos-adm
ACCEPT udp – anywhere anywhere udp dpt:sunrpc
ACCEPT tcp – anywhere anywhere tcp dpt:9999
ACCEPT tcp – anywhere anywhere tcp dpt:11212
ACCEPT tcp – anywhere anywhere tcp dpts:8100:8200
ACCEPT udp – anywhere anywhere udp dpt:customs
REJECT all – anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere

Chain DOCKER (1 references)
target prot opt source destination

root@p-ucs-master:/tmp# ls -l /var/run/univention-saml/
totaal 4
srw------- 1 samlcgi root 0 feb 6 11:13 memcached.socket
srw------- 1 samlcgi root 0 feb 6 11:13 p-ucs-slave.xxx.lcl.socket
-rw-r–r-- 1 samlcgi root 5 feb 6 11:13 stunnel4.pid


#12

I executed the restart on both servers. It did not solve the issue.

root@p-ucs-master:/tmp# invoke-rc.d univention-saml restart
[info] Restarting univention-saml.
[info] Stopping univention-saml.
Stopping memcached: memcached_univention_saml.
Stopping SSL tunnels: /etc/stunnel/univention_saml.conf: stopped
done.
[info] Starting univention-saml.
Starting memcached: memcached_univention_saml.
Starting SSL tunnels: /etc/stunnel/univention_saml.conf: started
done.
done.


#13

Can you please attach the file: /etc/simplesamlphp/metadata.d/https:__p-ucs-master.xxx.lcl_univention-management-console_saml_metadata.php.

Did you change the entity-ID of the service provider?


#14

Hi Florian,

I sent the requested file(s) by mail.

I changed the external FQDN using the following instruction
sdb.univention.de/1352

but reverted the IdP certificate to the one used by UCS 4.0

( saml/idp/certificate/privatekey="/etc/simplesamlphp/p-ucs-master.xxx.lcl-idp-certificate.key"
saml/idp/certificate/certificate="/etc/simplesamlphp/p-ucs-master.xxx.lcl-idp-certificate.crt" )


#15

Oh, we currently don’t really support to use univention-saml on a DC Slave for security reasons (mentioned in univention.com/2015/11/sing … r-ucs-4-1/).
The slave.php file at least looks corrupt. Which steps did you do to install the SAML IDP on the Slave? Maybe there are missing packages? I assume the DC Slave is the reason. Do you have a DC Backup? The DC Backup servers shouldn’t have problems with it - if thats an option for you.


#16

At the moment we don’t have a DC Backup, but if I understand it right it is the best (and only) option for running a shadow IdP.

My idea is to replace the DC Slave by a DC Backup. The DC Slave is not intensively used.

Do I need to “unjoin” the DC Slave or remove the SAML package to stop the memcache errors?


#17

Yes, please remove univention-saml, univention-saml-schema and simplesamlphp from the DC Slave.


#18

Hi Florian,

This morning I installed a DC Backup, which was quite a challenge because on the DC Master univention-ldap-overlay-memberof was installed. Because of this, the installation (domain join) failed. But finaly it was installed.

I also removed univention-saml from the DC Slave

Current status (error.log Apache2)

[Mon Feb 08 13:18:54 2016] [error] [client 141.101.104.206] PHP Notice: MemcachePool::get(): Server unix:///var/run/univention-saml/p-ucs-backup.xxx.lcl.socket (tcp 0, udp 0) failed with: No such file or directory (2) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 41

The socket file is not available

root@p-ucs-master:/var/run/univention-saml# ls -al
totaal 4
drwxrwx— 2 samlcgi root 80 feb 8 12:39 .
drwxr-xr-x 25 root root 1180 feb 8 12:39 …
srw------- 1 samlcgi root 0 feb 8 12:39 memcached.socket
-rw-r–r-- 1 samlcgi root 6 feb 8 12:11 stunnel4.pid


#19

Is the server listed in ucr search --brief ucs/server/saml-idp-server/ ?
If yes, invoke-rc.d univention-saml restart should help.
Otherwise something in the join scripts failed. univention-check-join-status, The logfile /var/log/univention/join.log might provide more information.


#20

Hi Florian,

Both servers are listed
invoke-rc.d univention-saml restart did not solve the issue

I sent you the log file by email