UCS SAML-based SSO not working in 5.0-2 errata441

Hi,

I am trying to leverage the standard SAML IDP on UCS, as described in documentation
https://docs.software-univention.de/manual/5.0/en/central-management-umc/login.html
I set portal/auth-mode= saml as per documentation

When I try to log in however I get a URL not found:
https://ucs-sso.netrik.net/simplesamlphp/saml2/idp/SSOService.php?SAMLRequest=

Not Found

The requested URL was not found on this server.

I tracked this down to following apache config in /etc/apache2/sites-enabled/univention-saml.conf

<Directory /usr/share/simplesamlphp/www/>
<FilesMatch “.+.ph(p[345]?|t|tml)$”>
SetHandler php-cgi

Action php-cgi /saml-bin/php-cgi

Where /saml/bin = /var/www/saml

the php-cgi file in that directory is a shell script that executes following:
exec /usr/bin/php-cgi7.3 -c /etc/php/7.3/apache2 “$@”

the config directory /etc/php/7.3/apache2 does not exist, I tried to replace it with a directory where I put a php.ini file, but same result

I also tried placing a different simple php script in /usr/share/simplesamlphp/www/ to see if that executes, but the result is the same, php does not seem to execute in this directory with this handler.

Anyone have any ideas? Is anyone else successfully using SAML SSO on Univention 5.0?

Thanks,

Bart

In the mean-time I also tested with 4.4, same problem here, the handler for the php script does not seem to work here either. I’ve commented out the handler and also tried with installing the php apache module, after changing group ownership of /etc/simplesamlphp files to www-data (not so secure), the scripts run, no errors, but just get a blank screen when trying to run SSO.

I’m not running Univention in production yet, still evaluating… Has anyone gotten SSO to work?

Thanks,

Bart

Mastodon