Problem:

I am successfully logged in on my DC master via sso but I have got the following error message, when I have tried to reach the UMC of a member server:

Internal Server-Error.
The SAML authentication failed. This might be a temporary problem. Please login again.
Further information can be found in the following logfiles:
* /var/log/univention/management-console-web-server.log
* /var/log/univention/management-console-server.log

Investigation:

The /var/log/syslog should be consulted for error messages concerning SAML:

Apr  8 08:24:33 member python2.7: Loaded metadata from "/usr/share/univention-management-console/saml/idp/ucs-sso.schein.ig.xml"
Apr  8 08:24:33 member python2.7: SAML assertion issuer is https://ucs-sso.schein.ig/simplesamlphp/saml2/idp/metadata.php
Apr  8 08:24:33 member python2.7: SAML assertion signature verification failure (error -111)
Apr  8 08:24:33 member python2.7: pam_ldap: error trying to bind as user "uid=azimmer,cn=users,dc=schein,dc=ig" (Invalid credentials)

According to the saml workflow we should check the used certificates in

/usr/share/univention-management-console/saml/idp/ucs-sso.schein.ig.xml

and

https://ucs-sso.schein.ig/simplesamlphp/saml2/idp/metadata.php

Solution:

If the certificates are different you may reset the ucr variable

ucr set umc/saml/idp-server="https://ucs-sso.$domain/simplesamlphp/saml2/idp/metadata.php"

and after that,
re-run Joinscript 92univention-management-console-web-server.inst by

univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server