Univention Bugzilla – Bug 39399
Fail safe SAML identity provider
Last modified: 2015-11-17 12:11:36 CET
We need to ensure that the SAML identity provider is fail safe. Therefore we install univention-saml on every DC backup, too. Every DC adds itself to a DNS entry e.g. "ucs-sso.$domainname". (Browsers typically test every A record if one record is not pingable). → Bug #39386 We need to ensure then that the simplesamlphp sessions are replicated between all these hosts. The implementation should be done by using a local memcached service which stores all simplesamlphp sessions. As memcached is completely plaintext and has no encryption we need to wrap SSL around it. Every memcached is only accessible via a local UNIX socket. A stunnel-server creates a TCP port which is externally accessible and does only accept verified SSL connections. For every IDP-DC a local UNIX socket is created, where a stunnel service runs behind it. The stunnel service redirects every input to the external stunnel service.
r63993: In the joinscript 33univention-saml.inst, please use udm <module> <action> "$@" ... Currently, nothing will happen: "Unknown or no action defined"
So far this is implemented but: A restart often fails, it seems the daemons don't cleanup their sockets: Error binding service [simplesamlphp_memcache_server] to 0.0.0.0:11211 The socket directory should better be /var/run/univention-saml/ not /usr/share/.... But I had some permission problems with user www-data.
http://blog.couchbase.com/memcached-security
There is a redirection loop when memcached is down: https://github.com/simplesamlphp/simplesamlphp/issues/264
We need to exclude non-trusted hosts from making a SSL connection to the memcached daemon. stunnel provides the option "checkHost" for this, but this is only available in stunnel 5.18 (stretch) and OpenSSL 1.0.2 (stretch).
(In reply to Florian Best from comment #2) > So far this is implemented but: > > A restart often fails, it seems the daemons don't cleanup their sockets: > Error binding service [simplesamlphp_memcache_server] to 0.0.0.0:11211 Meanwhile this doesn't occur anymore. The univention-saml initscript does some more cleanup. > The socket directory should better be /var/run/univention-saml/ not > /usr/share/.... But I had some permission problems with user www-data. → r64370 | Bug #39399: move saml sockets into /var/run/univention-saml/ (In reply to Florian Best from comment #5) > We need to exclude non-trusted hosts from making a SSL connection to the > memcached daemon. > stunnel provides the option "checkHost" for this, but this is only available > in stunnel 5.18 (stretch) and OpenSSL 1.0.2 (stretch). → Bug #39479
(In reply to Florian Best from comment #4) > There is a redirection loop when memcached is down: > https://github.com/simplesamlphp/simplesamlphp/issues/264 → Bug #39642
OK: Master and backup register for SSO FQDN (default: ucs-sso.$domainname) OK: Memcached via stunnel on all servers OK: Session replication via memcache OK: Failover basically works, but is currently slow. I will open a new bug to prioritize these issues -> Bug #39727 I added a changelog entry in r65125 -> Verified
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".