Single Sign On setup failed (join-script fails with various errors)

scheinig · July 21, 2016, 12:11pm

Problem:

Join-script 92univention-management-console-web-server.inst fails with various Single Sign On errors.

Possible solutions:

If you use an external DNS-Server, where you can only configure one record, then look at SDB-Article 1352
If the join-script fails because you have an external DNS-server where you can configure only one record you can temporarly configure the UCS-Master as DNS-Server and rerun the join-scripts. If the join is successful you can restore the DNS-Server.
Is the browser able to resolve the http URI .domainname?
Accessing the address with a browser should present a page with the Univention logo. If not, you can check, if a virtualhost-entry exists in /etc/apache2/sites-available/univention-saml and if the certificate for ucs-sso.$domainname exist.

   ls -l /etc/univention/ssl/ucs-sso* /etc/simplesamlphp/ucs-sso*
  ```-rw-r--r-- 1 root samlcgi         5445 Jan 29 12:43 /etc/simplesamlphp/ucs-sso.univention.local-idp-certificate.crt
  -rw-r----- 1 root samlcgi         1675 Jan 29 12:43 /etc/simplesamlphp/ucs-sso.univention.local-idp-certificate.key
  /etc/univention/ssl/ucs-sso.univention.local:
  insgesamt 20
  -rw-r----- 1 root DC Backup Hosts 5381 Feb 18 16:18 cert.pem
  -rw-r----- 1 root DC Backup Hosts 2797 Feb 18 16:18 openssl.cnf
  -rw-r----- 1 root DC Backup Hosts 1675 Feb 18 16:18 private.key
  -rw-r----- 1 root DC Backup Hosts 1289 Feb 18 16:18 req.pem

if not run

 univention-run-join-scripts --force --run-scripts 91univention-saml.inst```
  ucr commit /etc/apache2/sites-available/univention-saml```
  invoke-rc.d apache2 restart

check if the hostrecord “ucs-sso” exists and the correct ipaddress is set
univention-ldapsearch relativeDomainName=ucs-sso
univentionObjectType aRecord
The univentionObjectType should return “dns/host_record” and the a record should contain the ipaddresses from the master and backupservers which have to be pingable and resolvabel.
If you find following curl-message in the join.log
% Total % Received % Xferd Average Speed Time Time Time Current
```
                          Dload  Upload   Total   Spent    Left  Speed
```

^M 0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0curl: (51)
SSL: certificate subject name ‘mdc.univention.local’ does not match target host name ‘ucs-sso.univention.local’

check ucr-variable ucs/server/sso/fqdn - should contain ucs-sso.univention.local

is the certificate in /etc/apache2/sites-enabled/univention-saml deposited