Problem:
Changing the students password is not possible via saml. The loading bar stops at 0%.
And other symtom could be:
Failed to open LDAP connection: An error during LDAP authentication happend. Auth type: SAML; SALM message length: 8444; DN length: 54; Original Error: {‘result’:49, ‘desc’: ‘Invalid credentials’, ‘ctrls’: , ‘info’: ‘SASL)-13): authentication failure: Untrusted assertion audience’}
Investigation:
On the Master:
Check /etc/ldap/sasl2/slapd.conf
and udm saml/serviceprovider list |grep SAMLServiceProviderIdentifier
for identical names.
Restart the slapd service, try again changing the password and look for the error message:
service slapd restart
systemctl status slapd.service
This message shows inconsistent entries:
Dez 20 17:33:27 master slapd[31506]: SASL [conn=5425] Error: Assertion audience "https://slave.schein.me/univention/saml/metadata" untrusted
Dez 20 17:33:27 master slapd[31506]: SASL [conn=5425] Failure: Untrusted assertion audience
or you simply check the /var/log/syslog for any hints.
Furthermore you shoud check the metadata for any inconsitencies. Maybe the EntiyID is not the same on both servers.
cat /usr/share/univention-management-console/saml/idp/*.xml
Solution:
A solution might be to redownload the metadata after you checked the ucr variables.
This can be done be resetting the ucr variable umc/saml/idp-server
to the existing value and restart the ldapserver
Note:
It may also be necessary, that if you have a spread environment, that you have to check and adjust /etc/ldap/sasl2/slapd.conf
. With keycloak univention-keycloak saml/sp get --json
is the pendent to udm saml/serviceprovider list |grep SAMLServiceProviderIdentifier
.
The entries in /etc/ldap/sasl2/slapd.conf
are set with setting the ucr variable
ucr set umc/saml/sp-server="portal.example.org"
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.
This can be the case if you have portal and saml IDP on two different servers. (keycloak on a backup) Then you have to adjust umc/saml/sp-server
on the primary, too.