SAML certificate verification failed




on the DC Master I get this error

SAML certificate verification failed
The certificate of the SAML service provider does not match.


I had this on all five servers incl. backup DC but after rejoining the domain it disappeared on all exempt on the Master DC.

how to solve this?



Hello Urs,

did you renew the certificates recently?

The routine throwing this exception has some hints what it does and what to check including some topics on which are related to the renewal.

def test_service_provider_certificate():
        # compare /etc/univention/ssl/$(hostname -f)/cert.pem with
        # univention-ldapsearch -LLL "(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$(hostname -f)/univention/saml/metadata))" serviceProviderMetadata  | ldapsearch-wrapper | ldapsearch-decode64
        # If it fails: /usr/share/univention-management-console/saml/update_metadata
        # fails because was not used.
        lo = univention.uldap.getMachineConnection()
        certs ='(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://%s/univention/saml/metadata))', ['%s.%s' % (ucr.get('hostname'), ucr.get('domainname'))]), attr=['serviceProviderMetadata'])
        with open('/etc/univention/ssl/%s.%s/cert.pem' % (ucr.get('hostname'), ucr.get('domainname'))) as fd:
                for cert in certs:
                        cert = find_node(fromstring(cert[1]['serviceProviderMetadata'][0]), '{}X509Certificate')
                        if cert.text.strip() not in
                                raise Critical(_('The certificate of the SAML service provider does not match.'))

Best Regards,
Dirk Ahrnke