Univention Bugzilla – Bug 51078
Kerberos-based SAML-SSO is not working for Windows clients joined to a UCS@school schoolserver
Last modified: 2022-11-09 11:28:46 CET
In http://docs.software-univention.de/manual-4.4.html#domain:saml we state: > It is possible to associate the SAML authentication with the Kerberos login. > This means that users with a valid Kerberos ticket, for example after logging > on to Windows or Linux, can log on to the identity provider without having to > manual re-authenticate. > > To allow Kerberos authentication at the identity provider, the Univention > Configuration Registry variable saml/idp/authsource has to be changed from > univention-ldap to univention-negotiate. The web browsers must be configured to > transfer the Kerberos ticket to the SAML Identity Provider. Unfortunately, this does not work for (Windows) clients which are at a UCS@school site and joined to a UCS@school schoolsever. I suppose this is because the Kerberos ticket is issued by the UCS@school schoolserver, but the SAML IdP is the UCS Master/Backup.
In a test for a customer it was enough to add a service principal to the ucs-sso user on the schoolslave: samba-tool spn add "HTTP/ucs-sso.$(hostname -d)" ucs-sso
(1) I could reproduce the problem, see below (2) I adjusted the slave-joinscript. If HTTP/ucs-sso.$(hostname -d) is already assigned to a user other than ucs-sso, this will fail. [twenzel/51078_trust_kbrs_ticket_from_slave] 51909001d Bug #51078: Adjust slave joinscript Reproduction of problem (1) ****************** master, slave & 2 clients (for convinience one vs. slave, one vs. master) make sure to install letsencrypt & s4 setup the clients after https://docs.software-univention.de/handbuch-4.4.html#domain:kerberos (or) https://help.univention.com/t/configuring-windows-clients-for-single-sign-on-sso-with-kerberos-logins/8719 -> The sso & kerberos should work on the client joined vs. master, but not slave. -> ok -> run `samba-tool spn add "HTTP/ucs-sso.$(hostname -d)" ucs-sso` on slave -> reboot client & click on the login-button, e.g. at https://ucs-2791.wenzel-univention.intranet (master) to login without entering username & psw (2) For QA Run the joinscript on dc slave, restart client and login.
Added file-extension to for test & minor corrections [4.4] 73282b197 Bug #50626: ucs-test changelog Package: ucs-test-ucsschool Version: 6.0.121A~4.4.0.202007090951 Branch: ucs_4.4-0 Scope: ucs-school-4.4
Remark: Comment #4 does belong to Bug #50626 Merged & built after QA Package: ucs-school-metapackage Version: 12.0.3-3A~4.4.0.202007141115 Branch: ucs_4.4-0 Scope: ucs-school-4.4 [4.4] 06f691f66 Bug #51078: yaml version [4.4] 238d1812d Bug #51078: changelog & yaml [4.4] 5a515b4d9 Bug #51078: Merge branch 'twenzel/51078_trust_kbrs_ticket_from_slave' into 4.4 [4.4] febee8d90 Bug #51078: Adjust slave joinscript
OK: code review OK: manual test OK: advisory
UCS@school 4.4 v6 has been released. https://docs.software-univention.de/changelog-ucsschool-4.4v6-de.html If this error occurs again, please clone this bug.