hi,
i tried to setup my ucs master with sso.
i installed a win10 test client and joined the domain.
I configured everything as written in these threads regarding “imprt ucs root ca on windows client” 1 and “configuring windows for SSO with kerberos” 2.
I checked the settings on the client, the group policies are executed as expected.
I am able to visit the website https://ucs-sso.domain.ltd which shows a blank page with the univention writing in the top right corner (screenshot).
certificates are from letsencrypted.
I checked the join scripts 91 and 92, both finished with EXITCODE=0
I am able to reach the ucs-sso.domain.ltd from the client with ping, so the dns should work fine.
My problem:
I´m logged in as a ucs-user with permission for kopano, nextcloud, ucs
If call the univention startpage with IE or Google Chrome, than i have to log in again (in UCS or Nextcloud or kopano) …
I noticed, that on the login page is only the writing “How can i log in” and no special SSO-writing i´ve found in a thread, i don´t know if this is important.
So, can somebody give me a hint to challenge SSO?
thanks in advance,
hanspeter
I don’t know the answer but have some suggestions on what to check. You write that you see a mostly blank page, when going so ucs-sso.domain.tld. How does the site look, when visiting from a machine that is not joined to the domain?
At least for the Univention portal page the sso login should work (so when going to ucs.domain.tld//univention/management/ you do not have to login, if your kerberos session logged you in already). I cannot say though if in Nextcloud Saml is already preconfigured. I can only say with certainty that Kopano WebApp does not care about Saml.
) I tried to visit the ucs-sso.domain.ltd from an “unjoined” computer and it looks like the same as on domain client (see my screenshot in the first posting)
2.) if i surf the ucs.domain.tld//univention/management/ on the joined client, i get an login page (where i shouldn´t not
3.) Okay, i thought that the apps are automatically configured for SAML…
Please have a look at our debugging kerberos login article and check if everything is working correctly. Additional information may be logged in the logfiles mentioned in the article when trying to access the UMC.
another hint. I just checked on my system and when I directly go to the sso subdomain the page I see is also not showing a login bar. But I think this is acutally rather normal. When I login to “/univention/management/” it redirects to ucs-sso.domain.tld and then shows the login mask (I am not joined to a domain and therefore see the mask), for joined system i would expect some “redirect flicker” and then being redirected to the desired application.
Does SSO work at all? Your testcase should be logging into Univention Management Console, click the link on the UCS Portal. When logging into the Univention Management Console, what is the URL on the Login page? If it contains simplesamlphp, Single Sign-On is generally working. If the Loginpage is /univention/login, SSO is not working at all.
You should also check if the logged in user on Windows has a valid kerberos ticket for the domain with klist
(I adjusted the debugging article i linked above and added these questions)
[edit] The apache error message Cannot serve directory /var/www/univention/js/umc/:… has nothing to do with your issues.
We can see that your SSO is not working at all. Please revert the SAML configuration by setting ucr set saml/idp/authsource=univention-ldap . Does the login via SSO work now?
If not, check this article: Single Sign On link on UMC login page is crossed out The title and problem description about a crossed out link refer to a previous UCS version, but the solutions still apply and everything from there has to work.
You have to execute klist in the user context you want to use Single Sign-On in. In your case, login as the domain user on Windows, open a shell by starting cmd from the start menu, and execute klist.
Ok, i reverted the settings back to univention-ldap. I restarted my windows client and surf to the UCS Portal. I have to login and the login URL is the same “wrong” again (/univention/login …)
I checked every point from your link:
Is the client using a UCS domain nameserver as its nameserver?
Yes, the first DNS-Server is the IP of my UCS-Master
Is the correct SSL certificate available in the browser? Can https://ucs-sso.<domainname>/.
be visited in the browser?
yes:
Is the apache2 site correctly configured? Does·https://ucs-sso.<domainname>/simplesamlphp/blank.json show a small json status document in the browser?
I get an 404error, but i checked the directory on the ucs-master: There is no blank.json
root@dc:/usr/share/simplesamlphp# ls -la
insgesamt 48
drwxr-xr-x 10 root root 4096 Jun 6 15:31 .
drwxr-xr-x 211 root root 12288 Okt 15 10:12 ..
drwxr-xr-x 2 root root 4096 Jun 6 15:31 bin
lrwxrwxrwx 1 root root 18 Mär 5 2018 config -> /etc/simplesamlphp
drwxr-xr-x 2 root root 4096 Jun 6 15:31 dictionaries
drwxr-xr-x 3 root root 4096 Jun 6 15:31 lib
drwxr-xr-x 54 root root 4096 Jun 6 15:31 modules
drwxr-xr-x 2 root root 4096 Jun 6 15:31 schemas
drwxr-xr-x 3 root root 4096 Jun 6 15:31 templates
drwxr-xr-x 8 root root 4096 Jun 6 15:31 vendor
drwxr-xr-x 6 root root 4096 Jun 6 15:31 www
root@dc:/usr/share/simplesamlphp#
klist: Sorry, i thought this command sounds like an linux command so i tried it on my ucs-master.
Executed on my windows-client, i get a list back:
What i see right know is if my logonserver (on windows client is server2) then if i put https://server2.domain.tld and in their click in the lock to do the login the sso works!!!
After the klist command i’m able to see that the server: krbtgt was in server2 all the others are in server1
So what should i change to logon in all the “servers” i don’t have to “find” the right one?
I am trying to setup SSO with domain-joined Linux clients (LinuxMint). But I don’t get it working.
I worked through all the articles linked here but no success.
klist returns valid ticket on the client. So that was issued on logging in into the client. Firefox is configured with the ucs-sso as trusted URI. But it does not work.
I also have the issue that calling blank.json returns a 404 error.
Even increasing the log level of SAML IDP did not reveal anything usefull to me.
@hpz Your problems could be (not 100% sure) a known issue when using Letsencrypt certificates, see Bug 47700. We are working on fixing this issue.
To the other people who reported a similar issue, are letsencrypt certificates used in your domain? If not, it is probably a different issue which warrants a new thread.
@damrose i’m using a mix setup… for now i’m only want it internal, so the certs in use are the self sign from univention.
That said what @hpz reports is the same thing that i’m getting, blank pages in ucs-sso and form to fill when authtentication is need.
In the meantime like i said… maybe the issue could be the settings because i have multiple servers, and my clients (don’t know why) use slaves servers to logon even when main server is avaiable…
That said, the same windows client machine was able to sso to windows server machine with univention certificate (so sso is working)
The same client machine was able to sso into univention portal when the “portal” was equal do the “logonserver”… so if it would possible access https://%logonserver%.domain.tld/ sso works because that don’t work i must identify the %logonserver% and then put it in the address and sso works.
Problem: the apps shortcuts setup is only in the main server
@damrose, maybe you can help here… should we access the univention portal as https://domain.tld or https://server.domain.tld if i put the first i randon access one of the servers that i have but, as expected the ssl is invalid because the server name is missing in url…
