UCS Single Sign On

Hi@all,

I would like to make SSO externally accessible. To do this, I follow these instructions:

The initial situation is as follows. ucs-sso is on the master. This was installed with an internal domain. srv01.internal.local / 192.168.24.5

Thus, “Scenario 2, Portal and Single Sign On at the same FQDN” is relevant for me, right?

With the penultimate command, I get an error because no certificate is available for the new host name.

FQDN=ucs-sso.external.de

ucr set ucs/server/sso/autoregistraton=no \
        saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
        ucs/server/sso/fqdn=$FQDN \
        umc/saml/sp-server=$FQDN \
        ucs/server/sso/virtualhost=false \

echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername.conf

univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php

Setting umc/saml/idp-server
Module: setup_saml_sp
Try to download idp metadata (1/60)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4966    0  4966    0     0  66008      0 --:--:-- --:--:-- --:--:-- 66213
[ ok ] Reloading univention-management-console-web-server configuration (via systemctl): univention-management-console-web-server.service.
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Traceback (most recent call last):
  File "<stdin>", line 11, in <module>
  File "/usr/share/univention-management-console/saml/sp.py", line 110, in <module>
    tmpfile.write(get_cert())
  File "/usr/share/univention-management-console/saml/sp.py", line 35, in get_cert
    with open(CONFIG['cert_file'], 'rb') as cert_file:
IOError: [Errno 2] No such file or directory: '/etc/univention/ssl/ucs-sso.external.de/cert.pem'

Logical. This file/certificate does not exist. I do not need an official certificate (LE) here, but a self-signed one is sufficient. How do I create this?

with best
sven

ok, found it in the forum :slight_smile:

univention-certificate new -name "ucs-sso.external.de"

Hi @pixel, you found an error in the article. I missed to add the certificate creation to scenario 2. I just edited the article and fixed it.

You have to execute univention-certificate new -name "${FQDN}" -days 1825 before doing the ucr set... commands.

Just rerunning all commands should do the trick.

In the item “Other UCS servers”, IMHO the setting of the variable $SSO_FQDN is also missing.

One more question about the instructions.

SSO_FQDN=ucs-sso.external.de
ucr set ucs/server/sso/fqdn="${SSO_FQDN}" umc/saml/idp-server=https://${SSO_FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.ins

Does the commands also have to be executed on the UCS backup?

I can’t say if it’s basically necessary after the SSO adjustment but I had to recreate the Kerberos ticket for the NFS4 server for my NFSv4&Kerberos after this process. This did not work otherwise.

Is it a good idea to change the entry:

ucs-sso.[local-install-domain].lan
to:
ucs-sso.externaldomain.de

Or can this cause problems with internal services?

And it is better to use:

login.externaldomain.de?

After the above change:
ucs-sso.localdomain.local -> ucs-sso.externaldomain.de

I have on the UCS backup:

Host: backup01.localdomain.local
IP: 192.168.24.4

Executed the commands:

SSO_FQDN=ucs-sso.externaldomain.de
ucr set ucs/server/sso/fqdn="${SSO_FQDN}" umc/saml/idp-server=https://${SSO_FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

Now I get the following errors in the log file on the UCS master:

Jan 26 16:48:27 srv01 simplesamlphp[1185]: 3 [ebc810969e] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/backup01.localdomain.local.socket (tcp 0, udp 0) failed with: Network timeout (0)
Jan 26 16:48:27 srv01 univention-saml-stunnel[1401]: LOG3[77]: s_connect: connect 192.168.24.4:11212: No route to host (113)
Jan 26 16:48:27 srv01 univention-saml-stunnel[1401]: LOG3[77]: No more addresses to connect
Jan 26 16:48:30 srv01 univention-saml-stunnel[1401]: LOG3[78]: s_connect: connect 192.168.24.4:11212: No route to host (113)
Jan 26 16:48:30 srv01 univention-saml-stunnel[1401]: LOG3[78]: No more addresses to connect
Jan 26 16:48:30 srv01 simplesamlphp[1188]: 3 [ebc810969e] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/backup01.localdomain.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Jan 26 16:48:42 srv01 simplesamlphp[1198]: 3 [ebc810969e] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/backup01.localdomain.local.socket (tcp 0, udp 0) failed with: Network timeout (0)
Jan 26 16:48:42 srv01 univention-saml-stunnel[1401]: LOG3[79]: s_connect: connect 192.168.24.4:11212: No route to host (113)
Jan 26 16:48:42 srv01 univention-saml-stunnel[1401]: LOG3[79]: No more addresses to connect
Jan 26 16:48:42 srv01 univention-saml-stunnel[1401]: LOG3[80]: s_connect: connect 192.168.24.4:11212: No route to host (113)
Jan 26 16:48:42 srv01 univention-saml-stunnel[1401]: LOG3[80]: No more addresses to connect
Jan 26 16:48:42 srv01 simplesamlphp[1200]: 3 [ebc810969e] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/backup01.localdomain.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Jan 26 16:49:04 srv01 simplesamlphp[1279]: 3 [ebc810969e] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/backup01.localdomain.local.socket (tcp 0, udp 0) failed with: Network timeout (0)
Jan 26 16:49:04 srv01 univention-saml-stunnel[1401]: LOG3[81]: s_connect: connect 192.168.24.4:11212: No route to host (113)
Jan 26 16:49:04 srv01 univention-saml-stunnel[1401]: LOG3[81]: No more addresses to connect
Jan 26 16:49:39 srv01 simplesamlphp[1338]: 3 [ebc810969e] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/backup01.localdomain.local.socket (tcp 0, udp 0) failed with: Network timeout (0)
Jan 26 16:49:39 srv01 univention-saml-stunnel[1401]: LOG3[82]: s_connect: connect 192.168.24.4:11212: No route to host (113)
Jan 26 16:49:39 srv01 univention-saml-stunnel[1401]: LOG3[82]: No more addresses to connect

I have made the following changes that I found in the forum:
ucr set ucs/server/sso/autoregistraton=no
On the master -> domain -> DNS alias “ucs-sso” removed the IP of the backup01.localdomain.local.

Forced the join script to be called on all UCS systems and restarted everything. As soon as I access the UMC of a member, I receive a message on the master:

Jan 27 09:10:06 srv01 univention-saml-stunnel[1389]: LOG4[18]: CERT: No matching host name found
Jan 27 09:10:06 srv01 univention-saml-stunnel[1389]: LOG4[18]: Rejected by CERT at depth=0: C=DE, ST=DE, L=DE, O=localdomain, OU=Univention Corporate Server, CN=ucs-sso.localdomain.local, emailAddress=ssl@localdomain.local
Jan 27 09:10:06 srv01 univention-saml-stunnel[1389]: LOG3[18]: SSL_connect: 1416F086: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Jan 27 09:10:06 srv01 simplesamlphp[30421]: 5 STAT [1f2ea5a46c] saml20-idp-SLO spinit openid-connect-provider https://ucs-sso.externaldomain.de/simplesamlphp/saml2/idp/metadata.php
Jan 27 09:10:06 srv01 simplesamlphp[30421]: 3 [1f2ea5a46c] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/backup01.localdomain.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)

It looks to me like they are still trying to reach the ucs-sso under “ucs-sso.localdomain.local” instead of “ucs-sso.externaldomain.de”.