No chance to get Single-Sign On working

saml
ucs4
sso

#1

hi,
i tried to setup my ucs master with sso.
i installed a win10 test client and joined the domain.
I configured everything as written in these threads regarding “imprt ucs root ca on windows client” 1 and “configuring windows for SSO with kerberos” 2.
I checked the settings on the client, the group policies are executed as expected.

I am able to visit the website https://ucs-sso.domain.ltd which shows a blank page with the univention writing in the top right corner (screenshot).
certificates are from letsencrypted.
I checked the join scripts 91 and 92, both finished with EXITCODE=0
I am able to reach the ucs-sso.domain.ltd from the client with ping, so the dns should work fine.

My problem:
I´m logged in as a ucs-user with permission for kopano, nextcloud, ucs
If call the univention startpage with IE or Google Chrome, than i have to log in again (in UCS or Nextcloud or kopano) …
I noticed, that on the login page is only the writing “How can i log in” and no special SSO-writing i´ve found in a thread, i don´t know if this is important.

So, can somebody give me a hint to challenge SSO?
thanks in advance,
hanspeter

my system: UCS4.3

image


#2

Hi @hpz,

I don’t know the answer but have some suggestions on what to check. You write that you see a mostly blank page, when going so ucs-sso.domain.tld. How does the site look, when visiting from a machine that is not joined to the domain?

At least for the Univention portal page the sso login should work (so when going to ucs.domain.tld//univention/management/ you do not have to login, if your kerberos session logged you in already). I cannot say though if in Nextcloud Saml is already preconfigured. I can only say with certainty that Kopano WebApp does not care about Saml.


#3

hi fbartels,
thanks for your reply.

  1. ) I tried to visit the ucs-sso.domain.ltd from an “unjoined” computer and it looks like the same as on domain client (see my screenshot in the first posting)

2.) if i surf the ucs.domain.tld//univention/management/ on the joined client, i get an login page (where i shouldn´t not

3.) Okay, i thought that the apps are automatically configured for SAML…

summa sumarum: SSO isn´t working


#4

Please have a look at our debugging kerberos login article and check if everything is working correctly. Additional information may be logged in the logfiles mentioned in the article when trying to access the UMC.


#5

another hint. I just checked on my system and when I directly go to the sso subdomain the page I see is also not showing a login bar. But I think this is acutally rather normal. When I login to “/univention/management/” it redirects to ucs-sso.domain.tld and then shows the login mask (I am not joined to a domain and therefore see the mask), for joined system i would expect some “redirect flicker” and then being redirected to the desired application.


#6

hi,
thanks for your ideas, which i´ve tried today:

@damrose: i worked through the whole list and everythings seems to work fine:

  • UCR variable is changed
  • SAML identity provider shows up in Intranet Sites in the IE settings
root@dc:/var/log/apache2# univention-check-templates 2>&1 | egrep "(apache|saml)"
root@dc:/var/log/apache2# 
root@dc:/var/log/apache2# ktutil --keytab=/etc/simplesamlphp.keytab list
/etc/simplesamlphp.keytab:

Vno  Type                     Principal                             Aliases
  2  des-cbc-crc              HTTP/ucs-sso.domain.ltd@domain.ltd  
  2  des-cbc-crc              ucs-sso@domain.ltd                   
  2  des-cbc-md5              HTTP/ucs-sso.domain.ltd@domain.ltd  
  2  des-cbc-md5              ucs-sso@domain.ltd                   
  2  arcfour-hmac-md5         HTTP/ucs-sso.domain.ltd@domain.ltd  
  2  arcfour-hmac-md5         ucs-sso@domain.ltd                   
  2  aes128-cts-hmac-sha1-96  HTTP/ucs-sso.domain.ltd@domain.ltd  
  2  aes128-cts-hmac-sha1-96  ucs-sso@domain.ltd                   
  2  aes256-cts-hmac-sha1-96  HTTP/ucs-sso.domain.ltd@domain.ltd  
  2  aes256-cts-hmac-sha1-96  ucs-sso@domain.ltd                   
  1  des3-cbc-sha1            HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  des-cbc-md4              HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  arcfour-hmac-md5         HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  aes128-cts-hmac-sha1-96  HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  aes256-cts-hmac-sha1-96  HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  des-cbc-md5              HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  des-cbc-crc              HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  des3-cbc-sha1            HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  des-cbc-md4              HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  arcfour-hmac-md5         HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  aes128-cts-hmac-sha1-96  HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  aes256-cts-hmac-sha1-96  HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  des-cbc-md5              HTTP/ucs-sso.domain.ltd@domain.ltd  
  1  des-cbc-crc              HTTP/ucs-sso.domain.ltd@domain.ltd  
root@dc:/var/log/apache2# 

Then i make a test and call the website ucs-sso.domain.ltd on my domain-joined client.
I logged in with my user, the url is changing to https://domain.ltd/simplesamlphp/module.php/core/frontpage_welcome.php and i get an 404 error page!

Content of my access.log and error.log:

access,log:

192.168.24.80 - - [15/Oct/2018:10:23:12 +0200] "POST /univention/auth HTTP/1.1" 200 854 "https://domain.ltd/univention/login/?location=%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Ffrontpage_welcome.php&lang=de-AT" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
192.168.24.80 - - [15/Oct/2018:10:23:12 +0200] "GET /univention/get/meta?1539591792481 HTTP/1.1" 200 1821 "https://domain.ltd/univention/login/?location=%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Ffrontpage_welcome.php&lang=de-AT" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
192.168.24.80 - - [15/Oct/2018:10:23:12 +0200] "GET /simplesamlphp/module.php/core/frontpage_welcome.php HTTP/1.1" 404 642 "https://domain.ltd/univention/login/?location=%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Ffrontpage_welcome.php&lang=de-AT" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"

error.log:

[Mon Oct 15 10:21:58.779236 2018] [autoindex:error] [pid 7063] [client 192.168.24.80:64103] AH01276: Cannot serve directory /var/www/univention/js/umc/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive, referer: https://domain.ltd/univention/login/?location=%2Funivention%2Fself-service%2F%23passwordreset&lang=de-AT
[Mon Oct 15 10:22:59.134915 2018] [autoindex:error] [pid 7066] [client 192.168.24.80:64138] AH01276: Cannot serve directory /var/www/univention/js/umc/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive, referer: https://domain.ltd/univention/login/?location=%2Fsimplesamlphp%2Fmodule.php%2Fcore%2Ffrontpage_welcome.php&lang=de-AT

#7

I have seen this already several times but I can not recall how to fix at the moment. There are some references to bugs which have already been fixed.

Are you using latest release including latest errata updates?

/CV


#8

hi,
surely: 4.3-2 errata270