Univention Bugzilla – Bug 51078
Kerberos-based SAML-SSO is not working for Windows clients joined to a UCS@school schoolserver
Last modified: 2020-08-05 17:07:49 CEST
In http://docs.software-univention.de/manual-4.4.html#domain:saml we state:
> It is possible to associate the SAML authentication with the Kerberos login.
> This means that users with a valid Kerberos ticket, for example after logging
> on to Windows or Linux, can log on to the identity provider without having to
> manual re-authenticate.
> To allow Kerberos authentication at the identity provider, the Univention
> Configuration Registry variable saml/idp/authsource has to be changed from
> univention-ldap to univention-negotiate. The web browsers must be configured to
> transfer the Kerberos ticket to the SAML Identity Provider.
Unfortunately, this does not work for (Windows) clients which are at a UCS@school site and joined to a UCS@school schoolsever.
I suppose this is because the Kerberos ticket is issued by the UCS@school schoolserver, but the SAML IdP is the UCS Master/Backup.
In a test for a customer it was enough to add a service principal to the ucs-sso user on the schoolslave:
samba-tool spn add "HTTP/ucs-sso.$(hostname -d)" ucs-sso
(1) I could reproduce the problem, see below
(2) I adjusted the slave-joinscript.
If HTTP/ucs-sso.$(hostname -d) is already assigned to a user other than ucs-sso, this will fail.
[twenzel/51078_trust_kbrs_ticket_from_slave] 51909001d Bug #51078: Adjust slave joinscript
Reproduction of problem (1)
master, slave & 2 clients (for convinience one vs. slave, one vs. master)
make sure to install letsencrypt & s4
setup the clients after
-> The sso & kerberos should work on the client joined vs. master, but not slave. -> ok
-> run `samba-tool spn add "HTTP/ucs-sso.$(hostname -d)" ucs-sso` on slave
-> reboot client & click on the login-button, e.g. at https://ucs-2791.wenzel-univention.intranet (master) to login without entering username & psw
(2) For QA
Run the joinscript on dc slave, restart client and login.
Added file-extension to for test & minor corrections
[4.4] 73282b197 Bug #50626: ucs-test changelog
Remark: Comment #4 does belong to Bug #50626
Merged & built after QA
[4.4] 06f691f66 Bug #51078: yaml version
[4.4] 238d1812d Bug #51078: changelog & yaml
[4.4] 5a515b4d9 Bug #51078: Merge branch 'twenzel/51078_trust_kbrs_ticket_from_slave' into 4.4
[4.4] febee8d90 Bug #51078: Adjust slave joinscript
OK: code review
OK: manual test
UCS@school 4.4 v6 has been released.
If this error occurs again, please clone this bug.