Problem: SSO is not working with a let's encrypt certificate and the sso-single-server-solution

saml
letsencrypt
sso
problem

#1

Problem:

You configured saml-single-sign-on according to this instruction:

If you open your portal via https://ucs-saml.ddns.net/univention/saml you get this Traceback:
1 /usr/share/simplesamlphp/www/_include.php:43 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to validate Signature
Backtrace:
5 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:166 (SAML2_Utils::validateSignature)
4 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Message.php:236 (SAML2_Message::validate)
3 /usr/share/simplesamlphp/modules/saml/lib/Message.php:201 (sspmod_saml_Message::checkSign)
2 /usr/share/simplesamlphp/modules/saml/lib/Message.php:258 (sspmod_saml_Message::validateMessage)
1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:305 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)

Solution:

  1. you have to edit the cert.pem manually and switch the certificates in this file. The signed certificate have to be at the end/bottom of the file. (at the moment)
  2. restart the UMC
    service univention-management-console-webserver restart
  3. update the metadata in ldap
    /usr/share/univention-management-console/saml/update_metadata
  4. check the certificate stored for this serviceprovider:
    udm saml/serviceprovider list |less
  5. you have to edit the cert.pem manually again and switch the certificates back

Explanation:

The last -----BEGIN CERTIFICATE----- … ----END CERTIFICATE----- block from the public key is used for the service provider configuration. But for let’s encrypt that is the intermediate CA from let’s encrypt. For the signature the private key for the server is used, which means the public key in the sp config does not correspond to private key used to sign the saml message.


closed #4