Univention Bugzilla – Bug 45515
INVALID_CREDENTIALS: authentication failure: SAML assertion signature verification failure (error -111)
Last modified: 2018-06-06 16:16:21 CEST
Version: 4.2-2 errata189 (Lesum) Remark: Open UCC setup after upgrade to 4.2.2-189 on UCS member server Execution of command 'uccsetup/info/networks' has failed: Traceback (most recent call last): File "%PY2.7%/univention/management/console/base.py", line 249, in execute function.__func__(self, request, *args, **kwargs) File "%PY2.7%/univention/management/console/modules/decorators.py", line 318, in _response result = _multi_response(self, request) File "%PY2.7%/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "%PY2.7%/univention/management/console/modules/decorators.py", line 440, in _response return list(function(self, iterator, *nones)) File "%PY2.7%/univention/management/console/modules/decorators.py", line 286, in _fake_func yield function(self, *args) File "%PY2.7%/univention/management/console/modules/uccsetup/__init__.py", line 58, in info_networks ldap_connection = util.get_ldap_connection() File "%PY2.7%/univention/management/console/modules/uccsetup/util.py", line 119, in get_ldap_connection _bind_callback(lo) File "%PY2.7%/univention/management/console/base.py", line 350, in bind_user_connection lo.lo.bind_saml(self._password) File "%PY2.7%/univention/uldap.py", line 175, in bind_saml self.lo.sasl_interactive_bind_s('', saml) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) INVALID_CREDENTIALS: {'info': 'SASL(-13): authentication failure: SAML assertion signature verification failure (error -111)', 'desc': 'Invalid credentials'}
Aufgetreten beim Erstellen einer Arbeitsgruppe als Lehrer (oder Schuladmin) auf einem UCS@school Edu-Slave. Passiert nur bei vorheriger erfolgreicher Anmeldung mit SAML über ucs-sso. Bei "direkter" Anmeldung über die lokale UMC (bspw. forciert durch Verwendung der IP) funktioniert das Anlegen der Arbeitsgruppe. Ist nur den Lehrkräften nicht zumutbar. # univention-app info UCS: 4.2-2 errata203 App Center compatibility: 4 Installed: cups=1.7.5 dhcp-server=11.0.0 samba4=4.6 squid=3.4 ucsschool=4.2 v3 4.1/nextcloud=12.0.3-0 Upgradable: ucsschool Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 250, in execute function.__func__(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 192, in _response return function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/schoolgroups/__init__.py", line 54, in _decorated return func(self, request, *args, **kwargs) File "/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py", line 123, in wrapper_func kwargs[USER_WRITE], po = get_user_connection(bind=__bind_callback, write=True) File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 94, in get_user_connection return connection() File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 140, in _decorated kwargs[loarg], kwargs[poarg] = lo, po = getter() File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 130, in getter conn = connection() File "/usr/lib/pymodules/python2.7/univention/management/console/ldap.py", line 53, in connection bind(lo) File "/usr/lib/pymodules/python2.7/ucsschool/lib/schoolldap.py", line 384, in bind_user_connection return super(SchoolBaseModule, self).bind_user_connection(lo) File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 353, in bind_user_connection lo.lo.bind_saml(self._password) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 175, in bind_saml self.lo.sasl_interactive_bind_s('', saml) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 892, in sasl_interactive_bind_s res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 860, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 236, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 106, in _ldap_call result = func(*args,**kwargs) INVALID_CREDENTIALS: An error during LDAP authentication happened. Auth type: SAML; SAML message length: 10592; DN length: 65; Original Error: {'info': 'SASL(-13): authentication failure: SAML assertion signature verification failure (error -111)', 'desc': 'Invalid credentials'}
I think there might be 2 reasons for this bug/traceback: The SSL certificates on either the IDP side (1) or on the SP side (2) aren't recent (anymore). The following files can help to analyze this: 1. On all IDP Servers (= DC Master + DC Backups): $ cat /etc/simplesamlphp/*-idp-certificate.crt On the Service-Provider Server: $ cat /usr/share/univention-management-console/saml/idp/*.xml → The certificates on these files should be identical. Otherwise this could be fixed by removing /usr/share/univention-management-console/saml/idp/*.xml on the SP server and force-re-executing the joinscript 92univention-management-console-web-server. 2. On all Service-Provider Servern the SSL-Certificates needs to be compared with them stored in LDAP: $ cat /etc/univention/ssl/$(hostname -f)/cert.pem $ univention-ldapsearch -LLL "(&(serviceProviderMetadata=*)(univentionObjectType=saml/serviceprovider)(SAMLServiceProviderIdentifier=https://$(hostname -f)/univention/saml/metadata))" serviceProviderMetadata | ldapsearch-wrapper | ldapsearch-decode64 → If they don't match, it might help to execute: /usr/share/univention-management-console/saml/update_metadata See also Bug #40229 comment 7 if the root CA certificate was exchanged/renewed.
For the record: I can confirm that in my case (Comment #1) Forian's first suggestion applied. The certificate in "/etc/simplesamlphp/*-idp-certificate.crt" on the UCS Master was different from: - "/etc/simplesamlphp/*-idp-certificate.crt" on the UCS Backup - "/usr/share/univention-management-console/saml/idp/*.xml" on all (UMC) Service Provider servers So we had Certificate A as IdP certificate on the UCS Master but Certificate B everywhere else. This was most probably a leftover of an incomplete renewal of the SSL certificate chain. To resolve the issue I copied "/usr/share/univention-management-console/saml/idp/*.xml" from the UCS Backup to the UCS Master and forced "92univention-management-console-web-server". Deleting "/usr/share/univention-management-console/saml/idp/*.xml" as suggested did let the joinscript fail.
My idea for a solution of this bugfix is the following: Instead of a traceback a regular error message is shown in the error. Additionally a check for the diagnosis UMC module gets implemented which checks both variants from comment #2 and provides a link to https://help.univention.com/t/renewing-the-ssl-certificates/37 and a button which can resolve the problem.
There is a starting patch in branch fbest/45515-saml-certificate-verification-fails. But the "solve" buttons don't work on a DC Slave because I cannot execute joinscripts without credentials.
Reported again: Version: 4.2-3 errata312 (Lesum)
Fixed in univention-management-console-module-diagnostic 4.0.0-29A~4.3.0.201805231241 I only used used the checks suggested in fbest/45515-saml-certificate-verification-fails. I got the join script to work, but I am not sure if this fixes the issue reliably. So there is no solution yet.
I wasn't able to reproduce the tracebacks, so i couldn't check if a new error message gets shown. OK: the diagnostic module correctly recognizes the error FAIL: The diagnostic module neither provides a 'solve' button nor a link to the sdb article -> reopened
You are right, there is no solve button; the diagnose plugin only describes the problem. I am not sure how this problem emerges from some misconfiguration, and I do not want to add an automatic fix that does not work. Instead I opened Bug#47047, which says that univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server _may_ solve it. This bug can be found by using the headline of the problem as the search term... Not ideal, but providing a "solve" button that may or may not work seems worse.
OK: the diagnostic module correctly recognizes the error OK: Translations OK: Code -> Verfified
<http://errata.software-univention.de/ucs/4.3/100.html>