SAML error - incorrect setup?

tomtomnz · July 11, 2017, 9:03pm

Morning all

I’ve never been able to get SSO working in my UCS domain. I’m not sure if its because I’m not setting it up correctly, or due to error.

The error message indicates the search username & password are incorrect. Do I have to change any default settings under the UCS DC ‘SAML service provider basic settings’?

Error message below.

My test user is the main admin account, and it has the domain controller added as a service provider under the user SAML settings.

Backtrace:
0 /usr/share/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Error authenticating using search username & password.
Backtrace:
4 /usr/share/simplesamlphp/modules/ldap/lib/ConfigHelper.php:196 (sspmod_ldap_ConfigHelper::login)
3 /usr/share/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php:57 (sspmod_uldap_Auth_Source_uLDAP::login)
2 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:253 (sspmod_core_Auth_UserPassBase::handleLogin)
1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:67 (require)
0 /usr/share/simplesamlphp/www/module.php:137 (N/A)

Best · July 19, 2017, 9:24am

There might be more information in the syslog if you increase the loglevel (ucr set saml/idp/log/level=DEBUG). Could you attach the /var/log/syslog and /var/log/simplesamlphp/* contents (in an anonymized form) from the time where you try to authenticate?

tomtomnz · July 26, 2017, 12:30am

Hi Best

The only reference I can find in syslog during the authentication time frame is:

Jul 26 12:08:19 havucsdc python2.7: saml_msg is too small: minlength = 128

There is nothing in the /var/log/simplesamlphp/ directory.

Syslog for the authentication time frame attached.

Thanks
syslog_section.txt (5.1 KB)

Best · July 26, 2017, 1:06pm

I assume the logfiles are from a DC Slave? The Identity Provider is on the DC Master and all DC Backups.Could you have a look at the logfiles there with enabled saml/idp/log/level=DEBUG?

damrose · July 26, 2017, 1:09pm

Two UCR variables have to be set to enable logging:
ucr set saml/idp/log/debug/enabled=TRUE saml/idp/log/level=DEBUG

tomtomnz · July 26, 2017, 9:47pm

Morning guys

Logfiles were from the DC Master. Additional info included below after setting the additional UCR variable.

Still no logs in the /var/log/simplesamlphp/ directory.

Thanks

syslog_section.txt (68.5 KB)

Best · July 27, 2017, 2:05pm

It seems the memcache server has problems:
s_connect: connect 192.168.11.21:11212: No route to host (113)
SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/havucsbc.rdcl.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)