Problem

Being logged in through SSO on the master server and trying to login to the backup server in a new browser tab results in “Internal Server Error”.

You might see related messages in /var/log/management-console-server.log:
pam auth error connection timeout

In /var/log/univention/management-console-web-server:
auth failed status 401

Solution

This issue might be related to non-matching or non-valid certificates. To verify follow the steps noted below:

Step 1:

On all IDP Servers (= DC Master + DC Backups):
$ cat /etc/simplesamlphp/*-idp-certificate.crt

Step 2:

On the Service-Provider Server:
$ cat /usr/share/univention-management-console/saml/idp/*.xml

Step 3:

Verify the above steps show the same vertificates, these files should be identical.

Step 4a:

If not identical remove the files on the SP-server:
rm -f /usr/share/univention-management-console/saml/idp/*.xml

Step 4b:

Note: This step does not work on PaedML!
Force re-execution of the joinscript 92univention-management-console-web-server.
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server