New SAML metadata after upgrading to UCS 4.1

After upgrading to UCS 4.1, the metadata is not accepted anymore by our Service Providers.
The new file contains other X509Certificates.

Is it possible to avoid this change in metadata?

I hope so, else I we have some big challenges.

Is the certificate which you are using generated by the CA of your UCS master?
It seems that this is currenlty required.

If this is the case you can replace the files:
/etc/simplesamlphp/ucs-sso.$YOURDOMAIN-idp-certificate.crt /etc/simplesamlphp/ucs-sso.$YOURDOMAIN-idp-certificate.key
After this is done the joinscript 92univention-management-console-web-server.inst must be reexecuted on every UCS system in your domain.

Hi Florian,

The local (anonymised) hostname of our system is:
The public hostname is

  • The certificate used in UCS 4.0 is “”
  • During the upgrade, the certificate “” is created.
  • After changing the FQDN using this instruction ( another certificate is created: “”

I solved the issue with the existing Service Provider by changing the UCR and rejoining.

ucr set saml/idp/certificate/privatekey="/etc/simplesamlphp/"
ucr set saml/idp/certificate/certificate="/etc/simplesamlphp/"

Unfortunately SSO to the Univention Management Console does not work: “Could not fulfill the request. The SAML response contained a invalid signature: Failed to verify signature”

Do you have a suggestion to fix the issue with SSO to UMC?

It should work when you force-reexecute the joinscript 92univention-management-console-web-server.inst.
You can do this either via the UMC module "domain join’ or via the CLI:

univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst