Problem: SSO Login Fails – Metadata Not Found for WebUntis

Knowledge Base Community
, , , ,
1

Problem: SSO Login Fails – Metadata Not Found for WebUntis

Problem:

When attempting to log in to WebUntis via SSO, the following error is displayed:

No metadata found
Tracking-ID: 5d1511c59a
No metadata for 'https://saml.webuntis.com/WebUntis/saml2/service-provider-metadata' found

SimpleSAML_Error_MetadataNotFound: METADATANOTFOUND('%ENTITYID%' => '\'https://saml.webuntis.com/WebUntis/saml2/service-provider-metadata\'')

Backtrace (excerpt):

SimpleSAML/Metadata/MetaDataStorageHandler.php:299
SimpleSAML/Metadata/MetaDataStorageHandler.php:319
modules/saml/lib/IdP/SAML2.php:334
www/saml2/idp/SSOService.php:19

When retrieving the Service Provider (SP) metadata via curl or browser, the request returns an HTTP 404 – Not Found:

root@ucs5primary:~# curl https://saml.webuntis.com/WebUntis/saml2/service-provider-metadata
<!doctype html>
<html lang="en">
<head><title>HTTP Status 404 – Not Found</title> … </head>
<body>
<h1>HTTP Status 404 – Not Found</h1>
<p><b>Message</b> No endpoint GET /WebUntis/saml2/service-provider-metadata.</p>
</body>
</html>

Root Cause:

The UCS SAML IdP cannot establish trust with the Service Provider because the SP metadata file is not available at the specified URL. Without valid metadata, the IdP cannot process authentication requests from WebUntis.

This is typically caused by either:

  • An incorrect or outdated metadata URL, or
  • A temporary/unavailable endpoint on the WebUntis side.

Solution:

To resolve the issue, ensure that the correct Service Provider metadata for WebUntis is imported into the UCS Identity Provider.

1. Retrieve WebUntis metadata and verify validity

Access the following URL in a browser or via the shell using curl and save the displayed XML file locally:

Browser
https://saml.webuntis.com/WebUntis/saml2/service-provider-metadata

Shell
curl https://saml.webuntis.com/WebUntis/saml2/service-provider-metadata -o webuntis-metadata.xml

If the URL does not return a valid XML file but instead a 404 error, please contact WebUntis support to obtain the correct metadata.

2. Add the Service Provider in UCS

  1. Log in to the Univention Management Console (UMC).
  2. Navigate to:
    Domain → SAML Identity Provider → Service Provider.
  3. Click Add.
  4. Upload the previously saved webuntis-metadata.xml file or (if functional) enter the metadata URL.
  5. Save the configuration.

The metadata will be distributed via the Univention Configuration Registry (UCR) automatically.

3. Restart relevant services

Apply the changes by restarting Apache and the UMC server:

  • systemctl restart apache2
  • systemctl restart univention-management-console-server

4. Test the SSO login

  • Retry the WebUntis login with Single Sign-On.

  • If the login still fails, check attribute mappings in the IdP:

    • Ensure the correct attribute (e.g. uid or mail) is configured as the NameID.
    • Verify additional attributes required by WebUntis are mapped.

Additional Notes

  • If the SP metadata URL permanently returns 404, integration can only succeed using a manually provided XML metadata file from WebUntis support.
  • Always confirm with the Service Provider whether they publish dynamic metadata or expect manual configuration.