Bug 51078 - Kerberos-based SAML-SSO is not working for Windows clients joined to a UCS@school schoolserver
Kerberos-based SAML-SSO is not working for Windows clients joined to a UCS@sc...
Product: UCS@school
Classification: Unclassified
Component: General
UCS@school 4.4
Other All
: P5 normal (vote)
: UCS@school 4.4 v5-errata
Assigned To: UCS@school maintainers
Daniel Tröder
Depends on:
  Show dependency treegraph
Reported: 2020-04-08 18:04 CEST by Michael Grandjean
Modified: 2020-08-05 17:07 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Michael Grandjean univentionstaff 2020-04-08 18:04:16 CEST
In http://docs.software-univention.de/manual-4.4.html#domain:saml we state:

> It is possible to associate the SAML authentication with the Kerberos login.
> This means that users with a valid Kerberos ticket, for example after logging
> on to Windows or Linux, can log on to the identity provider without having to 
> manual re-authenticate.
> To allow Kerberos authentication at the identity provider, the Univention 
> Configuration Registry variable saml/idp/authsource has to be changed from 
> univention-ldap to univention-negotiate. The web browsers must be configured to 
> transfer the Kerberos ticket to the SAML Identity Provider.

Unfortunately, this does not work for (Windows) clients which are at a UCS@school site and joined to a UCS@school schoolsever.

I suppose this is because the Kerberos ticket is issued by the UCS@school schoolserver, but the SAML IdP is the UCS Master/Backup.
Comment 2 Erik Damrose univentionstaff 2020-05-12 13:57:48 CEST
In a test for a customer it was enough to add a service principal to the ucs-sso user on the schoolslave:
samba-tool spn add "HTTP/ucs-sso.$(hostname -d)" ucs-sso
Comment 3 Tobias Wenzel univentionstaff 2020-07-08 17:02:27 CEST
(1) I could reproduce the problem, see below

(2) I adjusted the slave-joinscript.
If HTTP/ucs-sso.$(hostname -d) is already assigned to a user other than ucs-sso, this will fail.

[twenzel/51078_trust_kbrs_ticket_from_slave] 51909001d Bug #51078: Adjust slave joinscript

Reproduction of problem (1)

master, slave & 2 clients (for convinience one vs. slave, one vs. master)
make sure to install letsencrypt & s4

setup the clients after


-> The sso & kerberos should work on the client joined vs. master, but not slave. -> ok
-> run `samba-tool spn add "HTTP/ucs-sso.$(hostname -d)" ucs-sso` on slave
-> reboot client & click on the login-button, e.g. at https://ucs-2791.wenzel-univention.intranet (master) to login without entering username & psw

(2) For QA
Run the joinscript on dc slave, restart client and login.
Comment 4 Tobias Wenzel univentionstaff 2020-07-09 09:53:30 CEST
Added file-extension to for test & minor corrections

[4.4] 73282b197 Bug #50626: ucs-test changelog

Package: ucs-test-ucsschool
Version: 6.0.121A~
Branch: ucs_4.4-0
Scope: ucs-school-4.4
Comment 5 Tobias Wenzel univentionstaff 2020-07-14 11:21:17 CEST
Remark: Comment #4 does belong to Bug #50626

Merged & built after QA 

Package: ucs-school-metapackage
Version: 12.0.3-3A~
Branch: ucs_4.4-0
Scope: ucs-school-4.4

[4.4] 06f691f66 Bug #51078: yaml version
[4.4] 238d1812d Bug #51078: changelog & yaml
[4.4] 5a515b4d9 Bug #51078: Merge branch 'twenzel/51078_trust_kbrs_ticket_from_slave' into 4.4
[4.4] febee8d90 Bug #51078: Adjust slave joinscript
Comment 6 Daniel Tröder univentionstaff 2020-07-14 11:27:31 CEST
OK: code review
OK: manual test
OK: advisory
Comment 7 Daniel Tröder univentionstaff 2020-08-05 17:07:49 CEST
UCS@school 4.4 v6 has been released.


If this error occurs again, please clone this bug.