SAML error - incorrect setup?

saml

#1

Morning all

I’ve never been able to get SSO working in my UCS domain. I’m not sure if its because I’m not setting it up correctly, or due to error.

The error message indicates the search username & password are incorrect. Do I have to change any default settings under the UCS DC ‘SAML service provider basic settings’?

Error message below.

My test user is the main admin account, and it has the domain controller added as a service provider under the user SAML settings.

Backtrace:
0 /usr/share/simplesamlphp/www/module.php:180 (N/A)
Caused by: Exception: Error authenticating using search username & password.
Backtrace:
4 /usr/share/simplesamlphp/modules/ldap/lib/ConfigHelper.php:196 (sspmod_ldap_ConfigHelper::login)
3 /usr/share/simplesamlphp/modules/uldap/lib/Auth/Source/uLDAP.php:57 (sspmod_uldap_Auth_Source_uLDAP::login)
2 /usr/share/simplesamlphp/modules/core/lib/Auth/UserPassBase.php:253 (sspmod_core_Auth_UserPassBase::handleLogin)
1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:67 (require)
0 /usr/share/simplesamlphp/www/module.php:137 (N/A)


#2

There might be more information in the syslog if you increase the loglevel (ucr set saml/idp/log/level=DEBUG). Could you attach the /var/log/syslog and /var/log/simplesamlphp/* contents (in an anonymized form) from the time where you try to authenticate?


#3

Hi Best

The only reference I can find in syslog during the authentication time frame is:

Jul 26 12:08:19 havucsdc python2.7: saml_msg is too small: minlength = 128

There is nothing in the /var/log/simplesamlphp/ directory.

Syslog for the authentication time frame attached.

Thanks
syslog_section.txt (5.1 KB)


#4

I assume the logfiles are from a DC Slave? The Identity Provider is on the DC Master and all DC Backups.Could you have a look at the logfiles there with enabled saml/idp/log/level=DEBUG?


#5

Two UCR variables have to be set to enable logging:
ucr set saml/idp/log/debug/enabled=TRUE saml/idp/log/level=DEBUG


#6

Morning guys

Logfiles were from the DC Master. Additional info included below after setting the additional UCR variable.

Still no logs in the /var/log/simplesamlphp/ directory.

Thanks

syslog_section.txt (68.5 KB)


#7

It seems the memcache server has problems:
s_connect: connect 192.168.11.21:11212: No route to host (113)
SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/havucsbc.rdcl.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)