Bug 39570 – SAML as single server solution

Bug 39570 - SAML as single server solution


Summary:	SAML as single server solution

Status:	CLOSED FIXED

Product:	Z_SDB
Classification:	Unclassified
Component:	New entries
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 4.1
Assigned To:	Erik Damrose
QA Contact:	Stefan Gohmann

URL:	http://sdb.univention.de/1352
Keywords:	interim-3

Depends on:	39549
Blocks:
	Show dependency tree / graph

Reported:	2015-10-16 11:25 CEST by Stefan Gohmann
Modified:	2015-11-17 12:11 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2015-10-16 11:25:02 CEST

A SDB article should be added for this scenario.

+++ This bug was initially created as a clone of Bug #39549 +++

By default ucs-sso creates a failsafe setup. This is helpful in a normal domain setup.

If only one system is used for example a public EC2 instance, two DNS names are required.

It should be possible to force only one external DNS name.

Comment 1 Stefan Gohmann

2015-10-16 11:25:53 CEST

> I'm now able to configure the host as follows:
> 
> FQDN=ec2-52-19-56-218.eu-west-1.compute.amazonaws.com
> ucr set ucs/server/sso/autoregistraton=no \
>  saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
>  saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.
> key" \
>  saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-
> certificate.crt" \
>  ucs/server/sso/fqdn=$FQDN \
>  umc/saml/sp-server=$FQDN \
>  ucs/server/sso/virtualhost=false \
>  apache2/ssl/certificate=/etc/univention/ssl/${FQDN}/cert.pem \
>  apache2/ssl/key=/etc/univention/ssl/${FQDN}/private.key
> 
> echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername
> 
> univention-certificate new -name $FQDN
> /etc/init.d/apache2 restart
> univention-run-join-scripts --force --run-scripts 91univention-saml.inst
> ucr set
> umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
> univention-run-join-scripts --force --run-scripts
> 92univention-management-console-web-server.inst

Comment 2 Erik Damrose

2015-10-30 13:32:52 CET

When writing the sdb article, the following lines from the example can be omitted.

Also, add a note that the host has to be able to resolve the FQDN for the certificate download, maybe suggest an ucr hosts/static/ entry

univention-certificate new -name $FQDN
/etc/init.d/apache2 restart

Comment 3 Erik Damrose

2015-11-05 10:42:00 CET

Created new article: Configure SAML Single Sign-On as single server solution
http://sdb.univention.de/admin/index.php?action=editentry&id=339&lang=en

Comment 4 Stefan Gohmann

2015-11-16 06:54:02 CET

OK, the article is now online:
 http://sdb.univention.de/1352

Comment 5 Stefan Gohmann

2015-11-17 12:11:58 CET

UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".