I would like to make SSO externally accessible. To do this, I follow these instructions:
The initial situation is as follows. ucs-sso is on the master. This was installed with an internal domain. srv01.internal.local / 192.168.24.5
Thus, “Scenario 2, Portal and Single Sign On at the same FQDN” is relevant for me, right?
With the penultimate command, I get an error because no certificate is available for the new host name.
FQDN=ucs-sso.external.de
ucr set ucs/server/sso/autoregistraton=no \
saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
ucs/server/sso/fqdn=$FQDN \
umc/saml/sp-server=$FQDN \
ucs/server/sso/virtualhost=false \
echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername.conf
univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
Setting umc/saml/idp-server
Module: setup_saml_sp
Try to download idp metadata (1/60)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4966 0 4966 0 0 66008 0 --:--:-- --:--:-- --:--:-- 66213
[ ok ] Reloading univention-management-console-web-server configuration (via systemctl): univention-management-console-web-server.service.
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf
Traceback (most recent call last):
File "<stdin>", line 11, in <module>
File "/usr/share/univention-management-console/saml/sp.py", line 110, in <module>
tmpfile.write(get_cert())
File "/usr/share/univention-management-console/saml/sp.py", line 35, in get_cert
with open(CONFIG['cert_file'], 'rb') as cert_file:
IOError: [Errno 2] No such file or directory: '/etc/univention/ssl/ucs-sso.external.de/cert.pem'
Logical. This file/certificate does not exist. I do not need an official certificate (LE) here, but a self-signed one is sufficient. How do I create this?
I can’t say if it’s basically necessary after the SSO adjustment but I had to recreate the Kerberos ticket for the NFS4 server for my NFSv4&Kerberos after this process. This did not work otherwise.
I have made the following changes that I found in the forum: ucr set ucs/server/sso/autoregistraton=no
On the master -> domain -> DNS alias “ucs-sso” removed the IP of the backup01.localdomain.local.
Forced the join script to be called on all UCS systems and restarted everything. As soon as I access the UMC of a member, I receive a message on the master:
Jan 27 09:10:06 srv01 univention-saml-stunnel[1389]: LOG4[18]: CERT: No matching host name found
Jan 27 09:10:06 srv01 univention-saml-stunnel[1389]: LOG4[18]: Rejected by CERT at depth=0: C=DE, ST=DE, L=DE, O=localdomain, OU=Univention Corporate Server, CN=ucs-sso.localdomain.local, emailAddress=ssl@localdomain.local
Jan 27 09:10:06 srv01 univention-saml-stunnel[1389]: LOG3[18]: SSL_connect: 1416F086: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Jan 27 09:10:06 srv01 simplesamlphp[30421]: 5 STAT [1f2ea5a46c] saml20-idp-SLO spinit openid-connect-provider https://ucs-sso.externaldomain.de/simplesamlphp/saml2/idp/metadata.php
Jan 27 09:10:06 srv01 simplesamlphp[30421]: 3 [1f2ea5a46c] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/backup01.localdomain.local.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
It looks to me like they are still trying to reach the ucs-sso under “ucs-sso.localdomain.local” instead of “ucs-sso.externaldomain.de”.