@hpz Your problems could be (not 100% sure) a known issue when using Letsencrypt certificates, see Bug 47700. We are working on fixing this issue.
To the other people who reported a similar issue, are letsencrypt certificates used in your domain? If not, it is probably a different issue which warrants a new thread.
@damrose i’m using a mix setup… for now i’m only want it internal, so the certs in use are the self sign from univention.
That said what @hpz reports is the same thing that i’m getting, blank pages in ucs-sso and form to fill when authtentication is need.
In the meantime like i said… maybe the issue could be the settings because i have multiple servers, and my clients (don’t know why) use slaves servers to logon even when main server is avaiable…
That said, the same windows client machine was able to sso to windows server machine with univention certificate (so sso is working)
The same client machine was able to sso into univention portal when the “portal” was equal do the “logonserver”… so if it would possible access https://%logonserver%.domain.tld/ sso works because that don’t work i must identify the %logonserver% and then put it in the address and sso works.
Problem: the apps shortcuts setup is only in the main server 
@damrose, maybe you can help here… should we access the univention portal as https://domain.tld or https://server.domain.tld if i put the first i randon access one of the servers that i have but, as expected the ssl is invalid because the server name is missing in url…
Is that normal because we should access via https://domain.tld ?
I only have one UCS server with master role. And not running any Let’s Ecrypt.
I have some more feedback… no solution however
-
After restart, i’m able to sso using internet explorer in every servers (backup and slaves) the only server that sso isn’t working is the domainmaster
After sso with internet explorer i cannot sso using chrome. -
After restart, and try with chrome: i’m able to sso in every servers (backup and slaves) the only server that sso isn’t working is the domainmaster.
After sso with chrome i cannot sso using internet explorer
Again i don’t know if that is the expected behaviour or not… but is what happen on my side
@hpz do you have more ucs servers configured? (slave or backups) so you can try sso in that servers?
hi,
no, one single ucs master.
still the same as written before…
@hpz yep… i also don’t have that file i none os my servers… cannot understand why the sso don’t work in domainmaster
Little thumb up this post…
Anyone can help/guide how to troubleshoot the sso and why it don’t work in the domaincontroller_master but works fine in all other servers roles (backup and slaves)
Could this be related ?
The sso address is avaible via two servers (master and backup) and the windows client trying the sso via the domaincontroller_master portal the first server that respond to the sso fqdn is the ip from the backup server?
Hi there,
I had the same problem. I did the following:
univention-run-join-scripts --force --run-scripts 98univention-samba4-saml-kerberos.inst
univention-run-join-scripts --force --run-scripts 91univention-saml.inst
# In this order, it might be a bug because the password get changed in the 98 script and I got
# an invalid password error with the next command
kinit -t /etc/simplesamlphp.keytab HTTP/ucs-sso.$(ucr get domainname)@$(ucr get kerberos/realm)
# And last but not least the following, because I got an invalid certificate error under
# https://afdc.af.intra/univention/saml/
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
After that, I was able to use my client’s kerberos ticket to login.
@damrose
There might be a Bug in the guide under: Debugging the SAML Kerbeors authentication
The 98 script changes the password of the ucs-sso user and I feel like this invalidates all tickets in the samlkeytab file. So maybe the order must be 98 and then 91, but I’am not a 100% sure.
Master only as I have only one server, which is also the ucs-sso server.
@codedmind Mine too. My master wasn’t able to use single-singon. Can you try to open the following page:
https://{master-dns}/univention/saml
@go2sh it will ask for login. if i went to the same url but slave-dns it works (sso)
This doesn’t work
This works
Don0t know if this matters but the first print i two management/ one 301 then other 200 in the second only get one management/ with the 200 code
Can you check your ucr variable saml/idp/authsource on the master if it is univention-negotiate. This would be the only thing I could imagine.
