SAML certificate verification failed

saml

#1

Hello,

on the DC Master I get this error

SAML certificate verification failed
The certificate of the SAML service provider does not match.

Screenshot%20from%202018-09-14%2016-34-52

I had this on all five servers incl. backup DC but after rejoining the domain it disappeared on all exempt on the Master DC.

how to solve this?

thanks


#2

Hello Urs,

did you renew the certificates recently?

The routine throwing this exception has some hints what it does and what to check including some topics on help.univention.com which are related to the renewal.
From/usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py:

def test_service_provider_certificate():
        # compare /etc/univention/ssl/$(hostname -f)/cert.pem with
        # univention-ldapsearch -LLL "(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$(hostname -f)/univention/saml/metadata))" serviceProviderMetadata  | ldapsearch-wrapper | ldapsearch-decode64
        # If it fails: /usr/share/univention-management-console/saml/update_metadata
        #
        # fails because https://help.univention.com/t/renewing-the-ssl-certificates/37 was not used. https://help.univention.com/t/renewing-the-complete-ssl-certificate-chain/36
        lo = univention.uldap.getMachineConnection()
        certs = lo.search(filter_format('(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://%s/univention/saml/metadata))', ['%s.%s' % (ucr.get('hostname'), ucr.get('domainname'))]), attr=['serviceProviderMetadata'])
        with open('/etc/univention/ssl/%s.%s/cert.pem' % (ucr.get('hostname'), ucr.get('domainname'))) as fd:
                for cert in certs:
                        cert = find_node(fromstring(cert[1]['serviceProviderMetadata'][0]), '{http://www.w3.org/2000/09/xmldsig#}X509Certificate')
                        if cert.text.strip() not in fd.read():
                                raise Critical(_('The certificate of the SAML service provider does not match.'))

Best Regards,
Dirk Ahrnke