Univention Bugzilla – Bug 49985
Configure SAML SSO as Multi-Server-Solution by default
Last modified: 2019-08-09 11:51:16 CEST
As an administrator I want it to be possible by default to use an external DNS name for SSO for my multi server environment. There is an article (https://help.univention.com/t/configure-saml-single-sign-on-as-single-server-solution/6681) for a single server environment but this is unfortunately not a standard. I currently use the following steps in demo environments (without guarantee ;-) # e.g. xy.univention.de FQDN=xy.univention.de ucr set ucs/server/sso/autoregistraton=no \ saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \ saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.key" \ saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-certificate.crt" \ ucs/server/sso/fqdn=$FQDN \ umc/saml/sp-server=$FQDN \ ucs/server/sso/virtualhost=false \ saml/apache2/ssl/certificate=/etc/univention/letsencrypt/signed_chain.crt \ saml/apache2/ssl/key=/etc/univention/letsencrypt/domain.key echo "ServerName $FQDN" > /etc/apache2/ucs-sites.conf.d/servername.conf univention-run-join-scripts --force --run-scripts 91univention-saml.inst ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst service apache2 restart; service univention-management-console-web-server restart; service univention-management-console-server restart
(In reply to Michel Smidt from comment #0) > There is an article > (https://help.univention.com/t/configure-saml-single-sign-on-as-single- > server-solution/6681) for a single server environment but this is > unfortunately not a standard. How would a standard solution look like? Is there a standard scenario? There are at least the following scenarios: * Cloud based UCS, e.g. AWS, the UCS apache2 directly faces the internet * There is a reverse proxy in front of the UCS apache2
(In reply to Erik Damrose from comment #1) > (In reply to Michel Smidt from comment #0) > > There is an article > > (https://help.univention.com/t/configure-saml-single-sign-on-as-single- > > server-solution/6681) for a single server environment but this is > > unfortunately not a standard. > > How would a standard solution look like? Is there a standard scenario? > > There are at least the following scenarios: > * Cloud based UCS, e.g. AWS, the UCS apache2 directly faces the internet > * There is a reverse proxy in front of the UCS apache2 In my experience, it's practically the standard scenario. In comment 1 only ucs-sso is reconfigured to the "one" external DNS. The two scenarios you mentioned are basically the same from my point of view. I wouldn't recommend the first scenario for productive use. I think in productive environments a reverse proxy should always be the default. At the most a scenario would be desirable in which the SAML-IdP does not run on the same server as the LDAP. But this doesn't really affect this bug or the configurations made here. From my point of view this is another feature request.