Office 365 Integration / Microsoft Teams App


#1

Hi,

I recently moved a company having existing Office 365 accounts to Univention with the Connector App.
That worked great thanks to the support here in this forum.

However, they have now a problem with the iOS and android app “Microsoft Teams”.
When they try to log in with their username, the login process takes forever and they are not getting any further: they are not asked for a password later on.

They have a reverse proxy which sends requests to ucs-sso.firma.at back and forth to the UCS master. That works obviously since the Office-365-connector itself is running well.

So, I tried to log in using the “Microsoft Teams” app and I saw a corresponding entry in the apache access.log on the master:

"POST /simplesamlphp/saml2/idp/SSOService.php HTTP/1.1" 303 3662
"https://login.microsoftonline.com/common/oauth2/authorize?
    response_type=code&
    client_id=1fec8e78-bce4-4aaf-ab1b-5451cc387264&
    resource=https%3A%2F%2Fapi.spaces.skype.com&
    redirect_uri=msauth%3A%2F%2Fcom.microsoft.teams%2Ffcg80qvoM1YMKJZibjBwQcDfOno%253D&
    state=YT1odHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vY29tbW9uJnI9aHR0cHM6Ly9hcGkuc3BhY2VzLnNreXBlLmNvbQ&
    login_hint=it%40firma.at&
    x-client-SKU=Android&
    x-client-Ver=1.15.1&x-client-OS=22&
    x-client-DM=D2303&client-request-id=73f5e6fb-7843-4d4e-8f90-8eb98aba9b70&
    haschrome=1&
    nux=1&
    instance_aware=true"
        "Mozilla/5.0 (Linux; Android 5.1.1; D2303 Build/18.6.A.0.182; wv)
         AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.87 Mobile Safari/537.36 PKeyAuth/1.0"

I also got an entry in the error.log:

    [client 192.168.15.10:40182] AH01215:
    PHP Notice:  MemcachePool::get():
    Server unix:///var/run/univention-saml/backupdc.firma.at.socket (tcp 0, udp 0) failed with:
    Read failed (socket was unexpectedly closed) (0) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 50,
    referer: https://login.microsoftonline.com/common/oauth2/authorize?
        response_type=code&
        client_id=1fec8e78-bce4-4aaf-ab1b-5451cc387264&
        resource=https%3A%2F%2Fapi.spaces.skype.com&
        redirect_uri=msauth%3A%2F%2Fcom.microsoft.teams%2Ffcg80qvoM1YMKJZibjBwQcDfOno%253D&
        state=YT1odHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vY29tbW9uJnI9aHR0cHM6Ly9hcGkuc3BhY2VzLnNreXBlLmNvbQ&
        login_hint=it%40firma.at&
        x-client-SKU=Android&
        x-client-Ver=1.15.1&
        x-client-OS=22&
        x-client-DM=D2303&
        client-request-id=73f5e6fb-7843-4d4e-8f90-8eb98aba9b70&
        haschrome=1&
        nux=1&
        instance_aware=true

So, it tried to connect to the backupdc and that failed.
The next thing I tried was unsetting the saml-idp-server entry for the backupdc:

root@masterdc ~ # ucr search --brief saml
ucs/server/saml-idp-server/masterdc.firma.at: masterdc.firma.at
ucs/server/saml-idp-server/backupdc.firma.at: backupdc.firma.at



root@masterdc ~ # ucr unset ucs/server/saml-idp-server/backupdc.firma.at

After reloading apache2 I get no error log entry anymore, but the behaviour on the phone stays exactly the same.

What could be the reason for this?

Thanks for reading,
Roland.