Bug 39549 - SAML as single server solution
SAML as single server solution
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Stefan Gohmann
Erik Damrose
: interim-2
Depends on:
Blocks: 39570
  Show dependency treegraph
Reported: 2015-10-14 21:56 CEST by Stefan Gohmann
Modified: 2015-11-17 12:11 CET (History)
0 users

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-10-14 21:56:37 CEST
By default ucs-sso creates a failsafe setup. This is helpful in a normal domain setup.

If only one system is used for example a public EC2 instance, two DNS names are required.

It should be possible to force only one external DNS name.
Comment 1 Stefan Gohmann univentionstaff 2015-10-16 09:16:54 CEST
I've added some two new UCR variables:

I'm now able to configure the host as follows:

ucr set ucs/server/sso/autoregistraton=no \
 saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
 saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.key" \
 saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-certificate.crt" \
 ucs/server/sso/fqdn=$FQDN \
 umc/saml/sp-server=$FQDN \
 ucs/server/sso/virtualhost=false \
 apache2/ssl/certificate=/etc/univention/ssl/${FQDN}/cert.pem \

echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername

univention-certificate new -name $FQDN
/etc/init.d/apache2 restart
univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
Comment 2 Stefan Gohmann univentionstaff 2015-10-16 11:29:03 CEST
We should add a SDB article for the configuration: Bug #39570.

The scenario can be tested through this bug.
Comment 3 Erik Damrose univentionstaff 2015-10-30 13:31:04 CET
Works fine, though the following lines may be omitted, as the calls are also done in 91univention-saml.inst

univention-certificate new -name $FQDN
/etc/init.d/apache2 restart
Comment 4 Stefan Gohmann univentionstaff 2015-11-17 12:11:27 CET
UCS 4.1 has been released:

If this error occurs again, please use "Clone This Bug".