Problem with UCS Saml SSO

LustigerLurch · May 4, 2020, 2:03pm

I have followed this Post to setup SAML SSO as a single server solution:

and I am now able to access the SAML-Login via my normal FQDN.
But when trying to login using SAML the following error message appears:

2020-05-04%2015_16_40-Univention%20Corporate%20Server%20Single-Sign-On

I did some digging in the logfiles and came up with this (please note that I redacted the original domain and occuring IP-Addresses):

May 4 15:00:18 auth simplesamlphp[59922]: 4 [9e6bb11299] Returning error to SP with entity ID ''https://auth.example.de/univention/saml/metadata''.
May 4 15:00:18 auth simplesamlphp[59922]: 4 [9e6bb11299] SimpleSAML\Module\saml\Error\NoPassive: Passive authentication not supported./NoPassive
May 4 15:00:18 auth simplesamlphp[59922]: 4 [9e6bb11299] Backtrace:
May 4 15:00:18 auth simplesamlphp[59922]: 4 [9e6bb11299] 3 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:342 (SimpleSAML_IdP::authenticate)
May 4 15:00:18 auth simplesamlphp[59922]: 4 [9e6bb11299] 2 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:405 (SimpleSAML_IdP::handleAuthenticationRequest)
May 4 15:00:18 auth simplesamlphp[59922]: 4 [9e6bb11299] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:435 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
May 4 15:00:18 auth simplesamlphp[59922]: 4 [9e6bb11299] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
May 4 15:00:18 auth simplesamlphp[59922]: 4 [9e6bb11299] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
May 4 15:00:18 auth simplesamlphp[59922]: 6 [9e6bb11299] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
May 4 15:00:18 auth simplesamlphp[59922]: 6 [9e6bb11299] SAML2.0 - IdP.SSOService: incoming authentication request: 'https://auth.example.de/univention/saml/metadata'
May 4 15:00:19 auth simplesamlphp[59925]: 4 [9e6bb11299] Returning error to SP with entity ID ''https://auth.example.de/univention/saml/metadata''.
May 4 15:00:19 auth simplesamlphp[59925]: 4 [9e6bb11299] SimpleSAML\Module\saml\Error\NoPassive: Passive authentication not supported./NoPassive
May 4 15:00:19 auth simplesamlphp[59925]: 4 [9e6bb11299] Backtrace:
May 4 15:00:19 auth simplesamlphp[59925]: 4 [9e6bb11299] 3 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:342 (SimpleSAML_IdP::authenticate)
May 4 15:00:19 auth simplesamlphp[59925]: 4 [9e6bb11299] 2 /usr/share/simplesamlphp/lib/SimpleSAML/IdP.php:405 (SimpleSAML_IdP::handleAuthenticationRequest)
May 4 15:00:19 auth simplesamlphp[59925]: 4 [9e6bb11299] 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:435 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
May 4 15:00:19 auth simplesamlphp[59925]: 4 [9e6bb11299] 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
May 4 15:00:19 auth simplesamlphp[59925]: 4 [9e6bb11299] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
May 4 15:00:19 auth simplesamlphp[59925]: 6 [9e6bb11299] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
May 4 15:00:19 auth simplesamlphp[59925]: 6 [9e6bb11299] SAML2.0 - IdP.SSOService: incoming authentication request: 'https://auth.example.de/univention/saml/metadata'
May 4 15:00:20 auth simplesamlphp[59930]: 4 [9e6bb11299] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
May 4 15:00:20 auth simplesamlphp[59930]: 6 [9e6bb11299] SAML2.0 - IdP.SSOService: Accessing SAML 2.0 IdP endpoint SSOService
May 4 15:00:20 auth simplesamlphp[59930]: 6 [9e6bb11299] SAML2.0 - IdP.SSOService: incoming authentication request: 'https://auth.example.de/univention/saml/metadata'
May 4 15:00:20 auth simplesamlphp[59931]: 4 [9e6bb11299] Deprecated use of SimpleSAML\Locale\Translate::t(...) at /usr/share/simplesamlphp/lib/SimpleSAML/XHTML/Template.php:722. Please update the code to use the new style of parameters.
May 4 15:00:20 auth simplesamlphp[59931]: 4 [9e6bb11299] Code which uses $fallbackdefault === FALSE should be updated to use the getTag() method instead.
May 4 15:00:20 auth simplesamlphp[59931]: 4 [9e6bb11299] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.
May 4 15:00:22 auth simplesamlphp[59933]: 5 STAT [9e6bb11299] Unsuccessful login attempt from 123.456.789.123.
May 4 15:00:22 auth simplesamlphp[59933]: 4 [9e6bb11299] The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'.

The log states something about “Passive Authentication” not being enabled which I don’t quite understand. I am logging in using the default SSO-Loginpage which (to my understanding) should be as active of a login as it get’s.

It might be worth mentioning that the login using normal authentication (Login without Single Sign On) works perfectly.

If anyone has any idea regarding this error I’d be more than happy to hear it

LustigerLurch · May 8, 2020, 3:43pm

Is no one able to help?

tweakui · June 19, 2020, 3:01pm

Seems nonody cn help. Since upgrade to 4.4.4 i am facin only weird problems and setting losses.
Hope sombody reads andchecks this to give us a great support.