Problem: long login times via sso at UMC

scheinig · August 29, 2024, 11:15am

Problem:

Long login times via sso at UMC

Investigation:

cat /etc/stunnel/univention_saml.conf
pid = /var/run/univention-saml/stunnel4.pid
cert = /etc/simplesamlphp/ucs-sso.schule-schein.me-idp-certificate.crt
key = /etc/simplesamlphp/ucs-sso.schule-schein.me-idp-certificate.key
setuid = samlcgi
CAfile = /etc/univention/ssl/ucsCA/CAcert.pem
options = NO_SSLv3
service = univention-saml-stunnel
debug = 4

[memcached]
accept  = 11212
connect = /var/run/univention-saml/memcached.socket
verify = 2
checkHost = ucs-sso.schule-schein.me

[backup.schule-schein.me]
client = yes
accept = /var/run/univention-saml/backup.schule-schein.me.socket
connect = ucs01.schule-schein.me:11212
verify = 2
checkHost = ucs-sso.schule-schein.me

Check all involved portal servers for there availability:

nc -vz ucs01.schule-schein.me 11212 -w3
nc: connect to ucs01.schule-schein.me port 11212 (tcp) timed out: Operation now in progress

Solution:

The problem with the long login times seems to be caused by the new portal servers that are already registered for saml not being reached. The server tries to establish communication via the stunnel connection, but since it does not respond, it waits until the timeout. In the firewall, 11212 should therefore be opened for ucs01 and ucs02.

scheinig · August 29, 2024, 11:15am