Problem: Changing the student password in UMC via saml remains at 0%

scheinig · January 7, 2019, 2:26pm

Problem:

Changing the students password is not possible via saml. The loading bar stops at 0%.

And other symtom could be:

Failed to open LDAP connection: An error during LDAP authentication happend. Auth type: SAML; SALM message length: 8444; DN length: 54; Original Error: {‘result’:49, ‘desc’: ‘Invalid credentials’, ‘ctrls’: , ‘info’: ‘SASL)-13): authentication failure: Untrusted assertion audience’}

Investigation:

On the Master:
Check /etc/ldap/sasl2/slapd.conf and udm saml/serviceprovider list |grep SAMLServiceProviderIdentifier for identical names.
Restart the slapd service, try again changing the password and look for the error message:

service slapd restart
systemctl status slapd.service

This message shows inconsistent entries:

Dez 20 17:33:27 master slapd[31506]: SASL [conn=5425] Error: Assertion audience "https://slave.schein.me/univention/saml/metadata" untrusted
Dez 20 17:33:27 master slapd[31506]: SASL [conn=5425] Failure: Untrusted assertion audience

or you simply check the /var/log/syslog for any hints.

Furthermore you shoud check the metadata for any inconsitencies. Maybe the EntiyID is not the same on both servers.
cat /usr/share/univention-management-console/saml/idp/*.xml

Solution:

A solution might be to redownload the metadata after you checked the ucr variables.
This can be done be resetting the ucr variable umc/saml/idp-server to the existing value and restart the ldapserver

Note:

It may also be necessary, that if you have a spread environment, that you have to check and adjust /etc/ldap/sasl2/slapd.conf. With keycloak univention-keycloak saml/sp get --json is the pendent to udm saml/serviceprovider list |grep SAMLServiceProviderIdentifier .
The entries in /etc/ldap/sasl2/slapd.conf are set with setting the ucr variable

ucr set umc/saml/sp-server="portal.example.org"
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.

This can be the case if you have portal and saml IDP on two different servers. (keycloak on a backup) Then you have to adjust umc/saml/sp-server on the primary, too.